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(57) Abstract: Mediods and apparatus to enable owneis 
and vendors of software to protect intellectual prop»ty and 
to charge per-use. The system |Hoduces a unique tag for ev- 
ery instance of software. Each usa device runs a supervis- 
ing piDgnun diat^isures, by use of the tag, that no software 
instance will be used infringing on the software owner's 
rights. When installing or using a software instance, the 
siq^er^osing program verifies the associated tag and stores 
the t^. When installii^ or usii^ untagged software, die 
si^ervising program fingerptints sdected portions of the 
software and stores the fingeiprints. A user device's si^- 
vising program paiodicaUycalls iq>, or is called iq) by a 
guardian center. The guardian center detects unauthorized 
use of software by conq>arison of currentcall-iq> data widi 
records of past call-iq>s. The guardian center completes the 
call-up 1^ enabling or disabling continued use of die mon- 
itored software instances. 
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METHODS AND APP.AJIATUS FOR PROTECTING INTORMATiON 

BACKGROUND OF THE INVENTION 

Software or information piracy is the activity of using or making -copies of 
software or information without the authorization of the creator or legitimate owner 

5 of that software or information. Piracy is most prevalent in the computer software 
application industry where people frequently make unlicensed illegal copies of a 
software application. The application may be copied for personal use or for 
re-production and commercial profit. Other types of piracy include acts of<:opying 
information such as musical recordings or an electronically readable version of 

10 documentation or an electronic book. In all cases, piracy costs billions of dollars of 
lost profits to business annually. 

The software and information technology industries have responded to the 
threat of piracy through the use of locking schemes. Locking schraiesxan include 
software locking mechanisms, licenses and specialized hardware devices which 

IS prevent unauthorized use of software, information, or an entire electronic device. 
These schemes seek to prevent adversaries from being able to freely oopy soflwaie. 

There are many types of software locking mechanisms. For example, a 
manufacturer can encrypt portions of a software pro-am with the unique key. A 
customer who purchases the software is given the key which allows tiecryption and 

20 execution of the software. An example of such a software pHrotection mechanism is a 
"Certificate of Authenticity'' supplied with the purchase of software programs such 
as Microsoft Windows 98, manufactured by the Microsoft Corporation of Redmond, 
Washington. Microsoft and Windows98 are trademarks of the Microsoft 
Corporation. The Certificate of Authenticity indicates a unique product number. 

25 During installation of the software, the product number is requested by the software 
application and must be ent^ed coirectly by the user. If the product number entered 
matches a number expected by the application, the -copy of the application is 
assumed to be legitimate and is allowed to be installed and executed as normal. If 
the number entered is incorrect, theisoftware will not install properly. 
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Hardware piracy protection schemes attach a device to the processor, 
typically through a communications port. These types of hardware devices are often 
called "dongles". An example of a hardware protection scheme is provided in U.S. 
Patent No. 3,996,449 which discloses a method for determining if a program or a 
5 portion of a program is valid when running on a computer. In this system, ia hash 
function is applied to a users identification code or key along with the text of the 
program itself in a special tamper-proof hardware checking device. The checking 
device compares a resulting value from the hash function with a verifier value to see 
if the program text is correct If the text is correct, the program is allowed to execute 

10 on the device. 

Another hardware related approach assigns a unique identifier to each 
processor that can execute programs. Software programs are then encoded with the 
identity of a designated processor identifier to which that program is assigned or 
authorized to execute. No other processor identifications are provided for the 

15 software and thus the software will not run on otha- processors. Obviously, such 
systems can provide usage limitations when attempting to^execute^oftware on a 
processor with which that software is not specifically associated. The number 
assignment mechanism may be supervised through the use of an authorization 
network which can associate a piece of software with a-specific processor 

20 identification number. 

Aside from the electronic hardware and computer^oflware application and 
data protection mechanisms noted above, little has been done to thwart the piracy of 
other types of encoded information that is accessed by €lectronic devices, such as 
musical recordings. 

25 SUMMARY OF THE INVENTION 
Characteristics of Prior Art Systems 

Prior art techniques for protecting the unauthor^ use of software and 
information suffer from a variety of problems. Systems which use a ccWificate of 
authenticity or key suffer in that one key allows unlimited usage of the program and 

30 nothing prevents copying of the key. As such, the owner of a copy of the software 
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can pass his key or certificate along with the software or information to someone 
else who can use the certificate or key to install and run the software or to access the 
information. If one key allows only a single usage or a one-time execution, the 
problem of copying may be solved but then each usage requires a sq)arate key to be 
5 entered. To be commercially acceptable most programs require multiple uses. 

Software locks are also easy to break on personal computers because the 
owner of the machine has unrestricted privileges and unlimited time to attempt to 
break locks. Hardware protection solutions lack flexibility since the hardware 
designer needs to know the nature of the software to be protected in advance of the 

1 0 production of the hardware device. Furthenmore, if different pieces of software 
using different hardware protection mechanisms are to be run, separate individual 
hardware devices must be provided. Costs associated with custom hardware 
production and the fact that consiuners have found hardware protection schemes 
difficult to deal with, prevent widespread deployment of hardware protection 

IS mechanisms. 

Hardware protection schemes thus limit the flexibility to move software from 
device to device. Users may not be able to buy sofbvare before buying their 
computational devices, because they do not know the identities of the devices at the 
time of purchase. Hardware manufacturers may cheat users by giving the same 
20 identifier to many machines. Finally, skilled hackers may be able to forge identities 
of hardware devices by reverse engineering techniques or change software so it fails 
to check the hardware identifier. 

Characteristics Of Embodiments Of The Invention: 

The invention overcomes these and other problems. The invention provides 

25 methods and apparatus to enable owners or vendors or distributors, each of whom 
will be hereinafter referred to as a vendor, of software to protect their intellectual 
property and other rights in that software. Software is defined hereinafter in a broad 
sense to include such things as computer programs, text, data, databases, audio, 
video, images, or any other information capable of being represented digitally or as a 

30 signal, said software being accused by or used by users on devices (hereinafter 
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referred to as user devices or devices) such as computers or special purpose devices. 
The invention also enables vendors of software to charge on a pay per-use^asis for 
an instance of software. 

Specifically, the invention provides a system methods and apparatus for 
5 supervising usage of software on a user's device and for a monitoring regime that 
prevents a device from employing any instance of software in a manner not 
authorized by the legitimate vendor or owner of the rights to that software. 

A vendor's rights in a particular software may be infringed upon in a number 
of ways, including but not limited to the following. A user may make copies of a 

1 0 vendor's software purchased by him and give ^em io other users who install the 
software on their devices, when this is not allowed under the first user's terms of 
purchase of the software. An organization purchases or rents a vendor's software 
and is allowed to make and use a specified number of copies of the software and 
then exceeds that specified number. A pirating vendor makes illegal copies of a 

15 legitimate vendor's software and sells these copies. A pirating vmdor modifies a 
legitimate vendor's software, for example recompiling an application program or 
renantiing and otherwise chaiiging a song, and distributes and sells copies of the 
infringing software. 

The invention achieves the above mentioned protection of legitimate 

20 vendor's rights in software and prevents any infringement of these ri^ts by users, 
without resorting to encryption of instances or parts of instances of software and 
requiring the user to decrypt before access, without requiring special hardware 
devices or attachments ("dongels") or special processors, and without requiring 
manufacturers to build identifyiiig numbers into hardware. Tlius die disadvantages 

25 and weaknesses associated with these^lutions are avoided in the present invention. 
Furthermore, the methods and apparatus of the invention do not-en^le denial of 
service, where an unscrupulous adversary attempts to use the protection mechanisms 
of the system to prevent a legitimate user from accessing software v4iich this user is 
employing in accordance with the rightful vendor's specified regime. 

30 Using this invention, a software vendor may have a specific piece of 

software, such as a specific application program or ascitic book or song, which 
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the vendor wishes to sell or lease, or otherwise distribute in a controlled manner, to 
us^'s. Each particular copy of the software which is intended to be installed on or 
used on a user's device, is referred to as an instance of that software, or as a software 
instance. In general, software can be installed on, accessed by, or used on a user 
5 device, with each of these access modes referred to hereinafter as use or use of 
software. Thus, for example, use of an instance of software which is an application 
program includes, but is not limited to, installing that instance or reading it or 
copying it or executing it. And use of text includes, but is not limited to, installing 
the text on the device or reading the text by use of the device or copying portions of 
1 0 that text on or by use of the device 

Components and Steps of Specific Embodiments of the Invention 

Specifically, the invention provides a system for supervising usage of 
software. The system includes a software vendor producing instances of software 
and a tag server accepting the instances of software. The tag server produces a 

15 plurality of tags, one per instance of software, and -each tag imiquely identifies an 
instance of software with which it is associated. A user device receives and installs 
an instance of software and securely receives a tag uniquely associated with that 
instance of software. The user device includes a supervising program which detects 
attempts to use the instance of software and which verifies the authenticity of the tag 

20 associated with the instance of software before allowing use of the instance of 

software. The supervising program on the user device verifies the authenticity of the 
tag and maintains or stores the tag in a tag table and maintains or stores the instance 
of software, preferably on a storage device, if the tag is authentic. The supervising 
program rejects the instance of software if the tag associated with the software is not 

25 authentic. 

A tag is preferably unique to an instance of software. The tagst:reated by the 
authentication server include at least one of a name of an instance of software, a 
unique number of an instance of software, and/or a hash function value on poitions 
of an instance of software. Preferably, the unique number of the instance of 
30 software is selected ^m a spaiise set of numbers. In other embodiments, ^sdi tag 
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further comprises a unique identifier of the supervising program. In yet another 
embodiment, each tag includes at least one fingerprint computed on portions of the 
instance of software associated with the tag. 

To verify and determine if a tag is authentic, the supervising program^an 

5 verify a hash function value in the tag or can verify a digital signature of the tag. In 
another embodiment, the supervising program verifies that the unique identifier of 
the supervising program in a tag is the same as an identifier of the^upervising 
program on the user device. In the embodiment using fingerprinting, the supwvising 
program verifies that the software instance associated with a tag satisfies a 

10 same-location fingerprint check against the at least one fingerprint included in the 
tag associated with the instance of software. The same-location fingerprint <heclc 
may be performed by the supervising program at least one time of before, during, 
and after use of the instance of software. 

In embodiments that use fingerprinting, each ts^ further includes stt least gm 

1 5 list of locations contaming values &x>m which the at least one fingerprint is 

computed and the supervising program verifies Uiat the software instance associated 
with each tag satisfies a same-location fingerprint chedc against the at least one 
fingerprint associated with the software at locations specified in the at least oi^ list 
of locations. Alternatively, general location fingerprinting may be used.^ 

20 same-location fingerprinting, two sequence of firigerprints on a conunon ^sequence of 
locations match if the first fingerprint fiom the &:st^uerK:e matches the ISrst 
fingerprint fi"om the second sequence, the second fingerprint fiom the first sequrace 
matches the second fingerprint fi-om the second sequence, and so on. In 
general-location fingerprintirig, two sequences of fingerprints match if *each 

25 fingerprint in the first sequence matches some fingerprint in the second sequence 
and each fingerprint in the second sequence matches some fingerprint in the first 
sequence.) Since the tag is separate from the instance of sofiware, the inveittion 
provides protection for software without the need to modify the software. 

According to another aspect of the inv^tion, whenever any data file is 

30 accessed by an instance of softw^€, information associated with an instance of 
software performing the access is stored in a4ocation associated widi the^lata file. 
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The information associated with the instance of software may be the tag associated 
with the instance of software as well as the time of modification performed by the 
instance of software. Preferably, the information associated with the instance of 
software performing the access is written to a secure location which the supervising 
5 program alone can access. Essentially, this aspect of the invention is used to track 
piracy of software that uses shared software data. 

In this case, when an instance of the software attempts to access a datable 
(i.e., shared software data) having associated infomiation stored in the location 
associated with that data file, the supervising program tests whether the associated 

10 information stored is information associated with the instance of software cuirently 
attempting access. If so, the supervising program determines whether diat instance 
was a pirated copy. To do so, the supervising pro^m according to one aspect can 
use an unaliasable hash ftmction to verify the associated information stored in the 
location associated with the data file for which access is currently being attempted. 

15 In addition, the supervising program can use the time of the last modification. The 
idea is to see whether this data file was written by a software instance having a tag 
of the software instance on this device and if so whether the software instance on 
this device in fact wrote that data file at the time of the last modification. If not, at 
least two software instances having the same tag are in circulation and piracy has 

20 taken place. 

Another embodiment of the invention includes a guardian center having a 
tagged software database and a verification program. The guardianxenter 
periodically communicates with the user device via a call-up |)roc^ure to receive 
tags fix>m the user device. The tags are associated with instances of ts^ged software 

25 used on the user device. The verification program examines each tag<Kceived fcom 
the user device against the tagged software database to ensure that the tags are in 
compliance with at least one usage supervision policy. Preferably, the usage 
supervision policy is associated with at least one individual instance of software 
with which at least one tag is associated. The verification program returns a 

30 continuation message to the user device. The continuation message indicates for the 
instance of software associated with each tag on the user device an action to follow. 
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The supervising program on the user device receives and verifies the-cohtinuation 
message for authenticity and if authentic, performs the action to follow indicated in 
the continuation message. In this manner, the guardian center can ultimately 
determine access to software on user devices, by controlling tag usage status. 

5 Preferably, all messages between tiie guardian center and the user device are 

sent in a secure fashion and the secure fashion involves public key encryption. 

According to another aspect of the invention, at least one of the software 
vendor, the tag server, and the guardian center are combined with another of the at 
least one of the software vendor, the tag server and the guardian center. 

10 According to another aspect of the invention, when the supervising program 

on a user device communicates with the guardian center, the process is 'called a 
call-up- The maximum allowed time interval between successive call-up procedures 
is preferably determined by at least one of a combination of the time-elapsed in &e 
user device, a number and duration of uses of instances of software, a number of 

15 times the user device is powered on, and a measure of use of the user device. When 
a user device fails to perform a call-up procedure with the guardian center before the 
end of a maximum allowed interval since the last call-up procedure, the user device 
is disabled for a period of time or usage of certain instances of software is denied f<»r 
a period of time. Preferably, a call-up occurs when an instance of softwjffe is used 

20 (i.e., accessed, installed, or otherwise detected) a first time on a user devfce. 
Alternatively, a call-up may occiur due to an request from the guardian center. 

According to one aspect of the invention, during a call-up, the supervising 
program tests the authenticity of the continuation message by voiiying that a hash 
ftmction value of a tag table m the continuation message is the same as a hash 

25 ftmction value of a tag table sent in a call-up message fipom the user device. 
Verifying a digital signature in thexontinuation message may also be used. 

When a user device that receives no continuation message following a 
call-up message to the guardian center, the user device can resend a call-up message 
with a cancellation command for a previous call-up message. This aspect allows the 

30 user device to attemptcall-up again. 
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In the guardian center, the usage supervision policy may be associated with 
the entire user device with which the guardian center communicates during the 
call-up procedure, or the usage supervision policy is associated with an individual 
user of the user device with which the guardian center communicates during the 
S call-up procedure, or usage supervision policy is associated with a usage supervision 
history of the user device with which the guardian center communicates during iht 
call-up procedure. 

According to another aspect of the invention, the guardian center maintains a 
tag data structure in the tagged software database for each tag associated with^ach 

10 instance of software on each user device. Each tag data structure includes aiag of an 
instance of software, a usage supervision policy associated widi tiie instance of 
software, and a collection of references to call-up records. Each call-up record in the 
collection of call-up records represents information concerning one call-up 
procedure. The continuation message associated with thet:all-up procedure includes 

IS at least one of a call-up time, a header of a tag table transferr^ to the guardian 
center during the call-up procedure, a last call-up time indicating a time stamp tif a 
former call-up procedure, a hash fiinction value of the t£^ table transleiTed to the 
guardian center during the call-up procedure, and actions to follow on the user 
device. The reason for keeping previous call-up records is to enable the g;uardian 

20 center to ensure that only one device has a given header of a tag table. OthCTwise it 
would be possible for different physical devices to share the same software instances 
in violation of usage supervision policies. 

In an alternative or combined implemmtation of the guardian center, the 
guardian center includes a verification program. According to this aspect, the 

25 guardian center periodically communicates with the user device via a call-up 
procedure to receive a unique identifier for the user device's supervising program 
from the user device. The verification program examines the unique identifier to 
ensure that at most one supervising program has that identifier, and the verification 
program returns a continuation message to the user device. The^continuation 

30 message indicates an action to follow upon attempted use of the instances of 

software associated with each tdg on the Oser device, tbc user device's si^pervising 
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program verifies the continuation message for authenticity and if auAentic, performs 

the action in the continuation message. 

According to this embodiment of the guardian center, the supervising 

program identifier is generated a first time that the supervising program is invoked, 

5 based on a rarely duplicated number. Preferably, the rarely duplicated number is a 

very precise clock value occurring when the supervising pro^^ is first inyok-ed in 

the machine. Alternatively, the rarely duplicated number is provided by a guardian 

center. Alternatively or in combination, the number may depend on the values of 

some memory locations. 
10 According to another system ofthe invention, the system also includes an 

untagged instance of software used on the user device. In this system, the 
supervising program detects the use of the untagged instance of soflwsffe and 
performs a fingerprinting process on the untagged instance of software md stwes 
fingerprints resulting fix)m the fingeiprinting process on the user device. The User 

1 5 device's supervising program further perfonns a fingerprinting process on a ta^ed 
instance of software used on the device and stores the fingerprints resulting fix)m the 
fingerprinting process in a fingerprint table on the user device. The supervising 
program stores locations fix)m which the fingerprints are computed. The fing^rints 
may be based on contents ofthe instance of software. Altonatively, tfic fingerprints 

20 are based on known sequences of behavior of the instarx:e of software. 

According to an embodiment of the guardian center in this system, the 
guardian center includes a fingerprint data structure and a verification program. Hie 
guardian center periodically communicates with the usct device via a call-up 
procedure to receive all fingerprints 'ftom the user device for an instance of software 

25 used on the user device. The verification programcompaies every fingerprint 

received from the user device against the fingerprint data structure to determine if an 
instance ofsoftware used on the user device is an infringing instance of ^ftwaie. If 
the verification program detects more than a specified number of matches between 
fingerprints in the guardian center's fingerprint data structure and fing«prints 

30 received from the user device, the vrnfication pro-am ^ecifies a punitive action to 
be performed^tand the verification prsogram returns aeontinuation niessage to the 
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user device* The continuation message indicates the punitive action to be pei^nned 
on the user device. 

The software vendor transmits a copy of an infringing instance of software 

to the guardian center and the guardian center computes fingerprints on the copy of 

5 the infringing instance of software and incorporates and stores the fingerprints into 

the fingerprint data structure on the guardian center. 

According to one aspect of this system, the fingerprint matching process is 

general location fingerprint matching. For speed, the fingerprint matching uses an 

inverted guardian center fingerprint table. 

1 0 The punitive action can specify that the user device be disabled for a 

« 

specified length of time, or can specify that the instance of software associated with 
the fingerprint that was matched to a fingerprint in the fingerprint data structure of 
the guardian center should be disabled for a specified length of time. The punitive 
action depends on at least one of a combination of the history of the behavior of the 

1 S user device, the history of the behavior of a particular user on the user device, and 
the collection of software present on the user device. 

Another embodiment of the invention provides a tag table data structure 
encoded on a user device's readable medium, such as a computer readable medium. 
The tag table data structure includes at least one tag diat is uniquely associated with 

20 one instance of software and includes at leatst one 'field associated with the tag in the 
tag table, and includes at least one field indicating a usage status associated with the 
tag associated with the instance of software. The at least one field may also indicate 
use statistics for the one instance of software associated with the ^g. The tag table 
may also include a tag table header that uniquely identifies the tag t^le. Hie tag 

25 table header can includes information concemirig user device use statistics and<:an 
include a continuation message as well. That tag table is used to store information 
concerning the ability of instances of software to be used on usertievices. 

Apparatus and methods of the invention includes a software vendor 
comprising a software production mechanism creating instances of^oftware^each 

30 having at least one of a name and software^ontent. Each instance of software is 
usable only <in?conjunction with a tag that is unique to that instance of soltwai^. The 
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tag is preferably a unique unforgeable collection of information concerning liie 
instance of software with which the tag is associated and includes at least one of the 
name of the software, a unique number of the instance of software and hash function 
value on portions of content of the ^oftwar«, an identifier of the supervising program 
5 associated with a user device upon which the instance of software is to be used, or a 
list of fingerprints of portions of the instance the software with which the tag is 
associated. 

According to certain embodiments of the invention, the software vendor may 
include an infiinging software detection mechanism that detects software that is 

10 infringing on the vendor's rights and that transfers a copy of the infiinging software 
to a guardian center so that usage supervision can be implemented to detect 
attempted use of an instance of the infiinging software on a user device. 

According to another aspect oTthis embodiment, the guaidian center can 
invalidate any tag associated with an instance of the infiinging software and'can 

1 5 send a punitive action to any xiser device detected by the ^guardian center to 4iave 
used the instance of infringing software. 

Another embodunent of the invration is a user device that incliHies an i^put 
port that receives an instaiKe of software and receives a tag uniquely associated wi& 
that instance of software and also receives a request to use the instance of softwve. 

20 A processor included in the user device executes a supervising jM-ogram. The 

supervising program detects the request to use the instance of so^are and verifies 
the authenticity of the tag associated with the instance of softw»e before allowing 
use of the instance of software by the user device. The supervising ixo^am ako 
verifies the authenticity of the tag ^d st(»es the^ag in a4ag table md maintains^e 

25 instance of software if the tag is authentic andfejects the instance oT~softw£ffe if the 
tag associated with the software is not authentic. 

According to one aspect of the user device, the supervising prp^^ 
computes a hash fiinction value on the instance of software and compares the 
computed value with a hash fimction value in the tag totietermine whether theiag is 

30 authentic and is properly associated with the instance of -software. The4ag is 
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preferably digitally signed and the supervising program verifies the authenticity of 
the tag by verifying a digital signature of the tag. 

Within the user device, the tag table is a data structure stored in storage on 
the user device and contains at least one tag that is uniquely associated with an 
5 instance of software and includes at least one field associated with the tag in the tag 
table, the at least one field indicating a usage status for the instance of software 
associated with the tag. The supervising program periodically or otherwise 
determines that a call-up procedure is required as defined by a call-up policy and the 
supervising program performs the call-up procedure to update the usage status of 

1 0 tags stored in the tag table. 

The supervising program can also verify that e£K:h data Ble used by ia^ed 
software is produced by a legitimate instance of software. 

During performance of the call-up procedure, the supervising program 
securely transmits the tag table from the user device via an interconnection 

1 5 mechanism coupled to the user device and awaits reception of a<:ontinuation 

message returned to the user device, the continuation message indicating actions to 
be performed for each tag in the tag table. Also during the performance of the 
call-up procedure, the supervising program secur<ely transmits a tag table header 
from the user device via an interconnection mechanism coupled to the user device 

20 and awaits reception of a continuation mess^e returned to die uso* device that 
indicates an action to be performed for each tag in the tag table. 

Another embodiment of the invention allows control over the use of 
untagged software. A user device according to ttiis ^bodiment includes an 
imtagged instance of software used on the user device. The supervising program 

25 detects the untagged instance of software and p^onns a fingerprinting process on 
the untagged instance of software and stor^ fingerprints resulting from the 
fingerprinting process in a fingerprint table on the user device. The supervising 
program periodically or otherwise determines that a call-up procedure is required as 
defined by a call-up policy and the supervising program performs the call-up 

30 procedure to update the usage status of untagged instances of software stored on the 



wo 00/72119 



PCTAISOO/11821 



-14- 

user device. Thus, the control of untagged software may take place regardless of the 

existence or the control of tz^ed software. 

When performing the call-up procedure, the supervising program transmits a 

portion of the fingerprint table finom the user device via an interconnection 
5 mechanism coupled to the user device and awaits reception of a continuation 

message returned to the user device that indicates actions to be performed 4br each 

untagged instance of software stored on the user device. 

According to another embodiment of the invention, a guardian wnt«: is 

provided that comprises a tagged software database and a verification program 
10 executing on a processor in the guardian COTtar. ITie guaidian^nter periodically 

executes a call-up procedure to receive, via an interconnection mechanism, tags for 

instances of software. The verification program examines ^ach tag received against 

the tagged software database maintained on the guardian center to ensure that tfie 

tags are in compliance with at least one usage supervision policy. The verification 
1 5 program transmits a continuation message via the int^omrection mechanism 

indicating actions to follow upon attempted use of the instances of software 

associated with each tag received by the guardian coiter during Aexall-up 

procedure. 

According to aspects of this embodiment, the usage sup^vision policy may 
20 be associated with each instance of software with which at least one tag is 

associated. Also, the usage supervision policy may be associated with a iiser device 
with which the guardian center communicates to receive tags. The usage 
supervision policy may also be associated with an individual user of the user device 
with which the guardian center conununicates to receive tags. 
25 The guardian center maintains a tag data structure in the tagged software 

database for each tag associated with each instance of software on-each user^vice 
and receives newly created tags associated with instances of software 16x)m a tag 
server and fiirther receives tags associated with instances of software used on a user 
device in a tag table transmitted bom the user device. 4Each tag data structure 
30 includes at least one of a tag of an instance of software, a name of die instance of 
software, a unique number of the instance of software, a hash function value on4he 
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instance of software, a usage supervision policy associated with the instance of 
software, and a collection of references to call-up records associated with the tag 
associated with the said instance of software. 

Each call-up record in the collection of call-up records represents 

5 information concerning one call-up procedure and includes at least one of a caH-up 
time, a header of a tag table transferred to the guardian center during the call-up 
procedure, a last call-up time indicating a time stamp of a former-call-up procedure, 
a hash ftmction value of the tag table transferred to the guardian center during the 
call-up procedure, and the action to follow on the user -device contained in the 

1 0 continuation message associated with the call-up procedure. 

A variation of the guardian center according to this invention includes a 
fingerprint data structure and a processor executing a verification program. The 
verification program periodically executes acall-up procedure with a user device to 
receive, via an intercoimection mechanism, fingerprints for instances of software 

1 5 used on the user device. The verification program examinescach fingerprint 

received against the fingerprint data structure to determine if an uiitagged instance of 
software used on a user device is an infiinging instance of software, and if^o, ^e 
verification program prepares a punitive action to be executed on the user^vicc. 

In one embodiment, all vendor software is firigerprinted and inftingements of 

20 one vendor's software upon another vendor's software are detected based on general 
location fingerprint checking. If the verification program detects a sufficient number 
of matches between a fingerprint in the fingerprint data structure and alingerprint 
within the fingerprints received, the verification program q>ecifies punitive action to 
be performed, and the verification program transmits a continuation message, the 

25 continuation message indicating a punitive action to be performed on a receiver of 
the continuation message. The sufficient number of matches may be equal to one, or 
greater than one, or may be computed as a wei ghted sum of matches where the 
weight of each match depends on a fingerprint that matches 

According to other aspects of this embodiment, punitive action can specify 

30 disablement of the receiver, or that the instance of software associated with the 
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fingerprint that was matched to a fingerprint in the fingerprint data structure should 
be disabled. 

In another variation, in the guardian center, the verification program 
receives, via the interconnection mechanism, a copy of an infringing instance of 
5 software and computes fingerprints on the copy of the untagged infiinging instaiKe 
of software and incorporates and stores the fingeiprints in the fingerprint data 
structure. 

Embodiments of the invention also encompass a tag server that accept a 
copy of specific vendor software and produces a plurality of tags, one tag per 

1 0 instance of the software, with each tag uniquely identifying an instance of Software 
with which it is associated. Each tag preferably emprises at least one of the name 
of the software associated with the tag, a unique number of the instance of ^software 
associated with the tag, and hash function values computed on portions of the 
instance of software associated with the tag. A digital signature mechanism may t>e 

1 5 used to digitally sign the tags and to securely transmit the tags to an intended 
receiver, such as a user device or guardian center or to the software vendor. 

Methods encompassed by the invention include a method for supervising 
usage of software. The method includes the steps of creating an instance of software 
and creating a tag that is uniquely associated with the instance of softiware. The 

20 method tfara distributes the instance of software and securely distribiKes the ti^ to a 
user device and receives the instance of software and the associated tag at the user 
device. The method then detects an attempt to use tiie instance ofthe software on 
the user device and determines if the attempt to use the instafttee of the software is 
allowable by determining a status of the tag that is aissociated with the instance of 

25 software to be used. 

In die method, tag creation includes steps of assigning a unique number to 
the instance of software and computing a first hash ftmction value on portions of the 
content of the instance of software. Thent:omputing a second hash function value 
for the instance of software, the second hash ftmction value-combining the name of 

30 the software, the unique number of the instance of software, and tbcfirst hash 
ftmction value. Next, the method includes^e step of computing a tag that is 
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uniquely associated with the instance of software, the tag including the name of the 
software, the unique number of the instance of software and the second hash value. 

The step of computing a tag may create a digitally signed tag by applying a 
digital signature function to the second hash function value to produce a signature 
5 and including the signature in the tag. 

The step of distributing the tag to a user device may include the step of 
securely distributing the tag to a software vendor and user device using a public key 
encryption technique. 

The step of receiving the instance of software can include the step of 

10 obtaining the instmice of software at the user device. And tiie-step of receiving Ae 
tag at a user device can include the steps of securely obtaining the tag associated 
with the instance of software at the user device and detemiining if the tag associated 
with the instance of software is signed, and if so, verifying a signature on a hash 
function value in the tag and if the signature on the hash function value is verified, 

IS installing the software on the user device, and if the tag associated wilh the instance 
of software is not signed, installing the instance of software on the user device. 
The step of detecting an attempt to use the instance of the software on the user 
device can include the steps of invoking a supervising program on the user device to 
intercept a user request for use of the instance of software. The step of determining 

20 if the attempt to use the instance of the software is allowable can also ircliide tiie 
steps of detennining if a call-iq) procedure is needed based on a<:all-i9 policy and if 
so performing a call-up procedure to verify the authenticity and to determine the 
usage supervision policy of the tag associated with the instance of software. Also 
included are the steps of updating tag information in the user device based upon an 

25 outcome of the call-up procedure an examining status information associated with 
the tag to determine if use of the instance of software associated with the tag is 
allowed. 

The step of performing a call-up procedure includes the step of transmitting a 
tag table storing the tag associated with the instance of software from the user device 
30 and awaiting reception of a continuation n^essage returned to the user device diat 
indicates an action to be performed foreach tag in tiie tag table* The us^ device 



wo 00/72119 



I»CT/US00/11S21 



•18- 

may continue processing local requests for execution while waiting for the 
continuation message. 

The method embodiments can also including the step of verifying that the 
continuation message is directed towards a specific device and that the «vent history 
S corresponds to the event history at this device. 

In the method embodiments, the step of peiifomiing a cali-up procedure can 
include the steps of receiving a tag table including the tag associat^ed with the 
instance of software and examining each tag received in the tag table against a 
tagged software database to ensure that tags in the tag table are in compliance with 
10 at least one usage supervision policy. Also included is ihe step of transmitting a 
continuation message indicating an action to follow at the user device upon 
detecting an attempted use of the instances of software associated with each tag. 

In the method embodiments, the continuation message can include a 
supervising program identifier of the sup^sing program to which Ibexontinuation 
15 message is to be sent, as well as the time when the^ontinuation message was 

prepared, as well as an encoding of the tag table he^er that accompanied the call-up 
from the device. 

A method for supervising use of software is also provided asput of the 
invention and includes the stq)s of detecting use of an untagged instmce or^ftware 

20 on a user device and thencreating and storing lingeiprints associated wi& the 
untagged instance of software on the user device. The method continues by 
detecting an attempt to use the untagged instance of the software on the user device 
and determining if the attempt to use the instance of the software is valid by 
comparing the fingerprints associated with the untaxed instance of software with a 

25 fingerprint data structure of infiinging fingerprints and disad>ling use of the unts^ed 
instance of software if a fingerprint match is found. 

The above method can also include the steps oT detecting use of a tagged 
instance of software on a user device and creating and storing fingerprints associated 
with the tagged instance of software on the user device. The step of detecting an 

30 attempt to use the tagged instance of the software on Ae user device is also included, 
as is the step of determining if the attempt •^to use the irtstance of the solftw£u:e is valid 
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by comparing the fingerprints associated with the tagged instance of software with a 
fingerprint data structure of infiinging fingerprints and disabling use of the tagged 
instance of software if a fingerprint match is found. 

The method may be supplemented by the steps of detecting, by a software 
5 vendor, an instance of infiinging software and submitting a copy of the instance of 
infringing software to a guardian center. Also included are the steps of computing 
fingerprints at the guardian center on the infringing instance of software and 
incorporating and storing the fingerprints in a fingerprint data structure. This 
supplemental method may also be an altemative*embodiment on its own i^egardless 

10 of the existence of tagged software. 

Another embodiment of the invention includes a method for xmiquely 
identifying instances of software comprising the steps of obtaining an instance of 
software, assigning a name to the instance of software, and assigning a unique 
number to the instance of software. The unique number can be different from any 

1 S unique number assigned to another instance of the same software. This method also 
includes the steps of computing a hash function value on portions of the instsmce of 
software and computing a second hash function value on a^oncatenation of the 
name of the instance software, the number of the instance software, and the'first 
computed hash function value to produce an unsigned hash function value unique to 

20 that instance of software. The method continues wi& the steps of signing ^ 
unsigned hash function value using a key to produce a signed hash function value 
for the instance of software and creating a tag associated with the instance of 
software that uniquely identifies that instance of software, the tag includirig the 
signed hash value of the instance of software, the name of the instance of software, 

25 the unique number of the instance of software, and the unsigned hash value of ^ 
instance software. 

According to this embodiment, the steps of obtaining the instaiKe of 
software and assigning a name to the software are performed by a software vendor 
and the steps of assigning a unique mmiber to the instance of software, computing 

30 the first and second hash function values, signing the second hdsh value, and 
creating the tag are performed by a tag server. 
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The invention also includes embodiments related to a computer readable 
medium encoded with instructions that when read and executed on a processor 
perform the steps of detecting a request to use an instance of software and 
determining if a tag corresponding to the instance of software has an associated 

5 status that allows the instance of software to be used and periodically performing a 
call-up procedure to validate the authenticity of the tag and to ensure that the 
instance of software corresponding to the tag is used in accordance with an usage 
supervision policy. 

The invention also includes embodiments directed to a propagated signd 

1 0 trananitted via a cam&r over a communications medium. One such signal carries an 
encoded tag table data structure which includes at least one tag that is uniquely 
associated with one instance of software and includes at least one field associated 
with the tag in the tag table, the at least one field indicating a use<:ontrol status foi: 
the one instance of software associated with the tag. 

1 5 Another such signal carries an encoded continuation message, the 

continuation message containing an indication of actions to be performed at a 
receiver of the propagated signal when an attempt to use an instance of software 
associated with the actions is detected at the receiver. 

Another method is provided by the invention for -ensuring that a so^are 

20 program hasn't been altered. This method embodiment includes the steps of 
computing an unaliasable hash fiinction value on the contents of the^oftwaie 
program and comparing the result of the undiasable hash ftinction with a result of a 
previously held hash value to determine if the results are the same, thus indicating if 
a software program has been altered. In one version of this method, the operating 

25 system computes the unaliasable hash ftmction value and the software program is 
the supervising program. 

Also provided by the invention is a method for ensuring that data has not 
been altered by means of computing an unaliasable hash ftiiiction value on the 
contents of that data and comparing the said value with a previously computed hash 

30 function value. The supervising program preferably computes the unaliasable hash 
ftmction value and the data used by the supervising program in this mettiod. 
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General Summary of Operation of Above Embodiments of the Invention: 

Before the detailed description of the embodiments noted above are given, 
the following simmiary of the general high-level operation of various embodiments 
of the invention is provided to aid the reader in understanding ^certain complexities 

5 in portions of the invention's embodiments. 

As noted in the above described embodiments, -each instance of vendor's 
specific software is accompanied by a unique unforgeable tag. All software instances 
of the same specific software, however, are identical and un-encrypted, each 
consisting of a copy of the specific software and, possibly, inclining the name of the 

1 0 software. For example, an instance of the specific zpp]kati<m pro^^m software 
Spread will include the program code for a spreadsheet application as well as the 
name "Spread." Since no specialized hardware devices are required Tor the 
invention, instances of arbitrary kinds of software can be ^ed together on a 
common device or on different devices. 

IS A software vendor produces instances tcopies) of some specific software iand 

sending one instance of that software to a tag server, togeth^ with a^uest for a 
certain number of tags for instances of that software. The tag server produces the 
requested number of different unique tags. Each unique tag will be asscKiated by the 
vendor with one instance of the software and will serve to imiquely identify the 

20 instance of software with which it is associated. A user device receives and attempts 
to use an instance of the vendor's software and secuiely receives the tag uniquely 
associated with that instance of software. 

The user device includes the supervising pro^^ running on tiiat device, 
which verifies the authenticity of the associated tag and stores the tag in a tag table 

25 and stores the instance of software on a storage device or allows use of the software 
instance, only if the tag is authentic. The supervising program rejects an instance of 
software if the tag associated with the instance is not authentic. Every tag in theiag 
table has a status such as "usable" or "removed" or "pay-per-use", associated with it 
by the supervising program. The supervising prpgramiietects commands to the 

30 device to use the said instance of software and verifies that the status^urrently 
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associated with the tag associated with that instance of software, permits use of that 
instance. 

Securely sending or receiving data of an object t:ontaining data means that 
the data or the object are sent or received in a manner that does not allow the data or 
5 the data contained in the object to be altered by or revealed to anyone other than the 
authorized sender or receiver. For example, a tag may besecurely ^ent from a 
vendor to a user device over a network by use of the TEtS ISPEC or NETSCAPE 
SSL or any other protocol for secure communication, or the tag may be handed over 
by the vendor to the user on a diskette placed in a tamper-proof sealed envelope. 

1 0 Seci»e communication is employed in the invention just to protect sensitive 

information from being divulged to eavesdroppers and is not part of the invention's 
protection mechanisms proper. Any standard protocol for secure communication 
between parties will serve this purpose. 

As noted in the embodiments above, the tag created by the tag 'server for an 

IS instance of vendor software includes the name of that softw^, a unique idmtifying 
number for that instance of software, hereinafter referred to as the instance number, 
a hash ftmction value on some portions of the instance of software, and a hash 
function value combining all the previous data The instance nimibers employed in 
the present invention can be integers or any sequences of any symbols, ibc said 

20 sequences serving as unique identifiers. Optionally, the tag server may digitally sigh 
the last mentioned hash ftmction value, and include the sig9atuie in the tag. 

Tags which include aisignature will hereinafter be referred to as si^ed-tags. 
Tags which do not include a signature will be referred to as ui^igned tags. When 
preparing an unsigned tag for an instance INST_SW of software SW, the tag server 

25 selects the unique identifying number for the instance &x>m a secret sparse set of 
numbers, hereinafter referred to as the secret sparse set, asisociated with the software 
SW. Numbers in the secret sparse set may, for^xample, be produced by a physical 
process. 

To determine whether a tag associated with an instance INST of software is 
30 authentic, the supervising program of the device on which INST is to be installed or 
used, extracts the instance numberNUM^INST of INST aiKi the name NAME_SW 
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of SW from the tag. The supervising program computes a hash function value on 
some specified portions of the contents of the software instance INST. The 
supervising program then computes a hash function value^ombining the instance 
number NUM_INST, the name NAME_SW, and the previously -computed hash 
5 function value. The supervising program compares the hash function values it 
computed with hash function values found in the tag. It must also v^fy any <ligital 
signature which is a component of a signed tag. The authenticity of an unsigned tag 
is further checked by the supervising program before allowing the first or some 
subsequent use of the associated instance of software by securely sending the tag to 

10 the tag server or to a guardian center described next, for authentication of the tag. 
As indicated above, the system also includes a guardian center which 
includes a tagged software database and a verification program. The guardian center 
periodically commimicates with the user device via a call-up prcKsedure to receive all 
tags from the user device for each instance of software installed on the us^ device. 

IS The verification program examines each tag received from the user device against 
the tagged software database to ensure that the tags are in complice with at least 
one usage supervision policy. The verification program returns a continuation 
message to the user device which indicates an action to follow upon attempted 
access to the instances of software associated with each tag on the user device. 

20 The usage supervision policy can be associated witii individual instances of 

software to which at least one tag is associated, or can be associated with theentire 
user device with which the guardian center communicates, or can be associated with 
an individual user of the user device with which the guardian center commimicates. 
The guardian center maintains a tag data structure in the ta^ed software 

25 database for each tag for each instance of softwme on each useridevice. €ach tag 
data structure can include a tag of an instance of software, a name of the instance of 
software, a unique number of the instance of software, a hash value on the instance 
of software, a policy associated with the instance of software, and a series of call-up 
records associated with the instance of software. Each call-up record in the series of 

30 call-up records represents information concerning one call-up procedure and 
includes a call-up time, a header of a tag table transfenedio ttie guvdian center 
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during the call-up procedure, the last call-up time indicating a time stamp of a 
former call-up procedure, a hash of the tag table transferred to the guardian<:enter 
during the call-up procedure, and the action to follow on the user device contained in 
the continuation message associated with the call-up procedure. Using these 

5 mechanisms, the guardian center can track usage statistics of instance of software for 
such activities as paying per use of an instance. 

According to another aspect of the invention, an untagged instance of 
software may be installed on the user device. The protection program detects the 
untagged instance of software and performs a fingerprint process on the untagged 

1 0 instance of software and stores fingerprints resulting from the fingerprint process in 
a fingerprint table on the user device. The guardian center, according to this aspect, 
includes a fingerprint database. The guardianx:enter periodically <:ommunicates 
with the user device via a call-up procedure to receive all fingerprints from the user 
device for each untagged instance of software installed on the usertlence. The 

1 5 verification program examines each fingerprint received from the usa: device against 
the fingerprint database to determine if an xmtagged instance of software is an 
infiinging mstance of software. In this maimer, the invention-can detect the use of 
modified software that is an illegal copy. 

If the verification program detects a match between a frngerprint in the 

20 fingerprint database and a fiiigerprint within all tiiigerprints leceived from the user 
device, the verification program specifies punitive action to be performed, and the 
verification program returns a continuation message to the user device.' "fo this^ase, 
the continuation message indicates the punitive action to be performed on the user 
device. As such, a user device can be disabled, for example, if^aught using 

25 untagged infiinging software. 

Alternatively, the punitive action may specify tfiat the untagged instance of 
software associated with the fingerprint that was matched to a^ngerprint in the 
fingerprint database should be disabled. 

To obtain fingerprints at the gu^dian center, the -software vendor trairsmits a 

30 copy of an untagged infiinging instaiKe of ^oftwsffe to the guardian center and the 
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guardian center computes fingerprints on the copy of the untagged infringing 
instance of software and stores the fingerprints in the fingerprint database. 

Another embodiment of the invention provides a tag table data structure 
encoded on a computer readable medium. The tag table data structure includes at 
S least one tag that is uniquely identified with one instance of software and includes at 
least one field associated with the tag in the tag table. The field indicates a usage 
supervision status for the one instance of software identified with the tag and may 
also indicate use statistics for the one instance of software identified with the tag. 
The tag table data structure may also include a tag table header that uniquely 
10 identifies the tag table and that uniquely associates the tag table with one user 
device. The tag table header includes information concerning user device use 
statistics and includes a continuation message. The continuation m^age indicates 
punitive action and usage supervision status for an instance of software associated 
with a tag. 

15 A software vendor is provided as an aspect of the invention and iiKludes a 

software development mechanism that creates instances of software having a name 
and having software content. Each instance of softwsoe is executable only in 
conjunction with a tag that is unique to that instance of software. The tag is a unique 
unforgeable collection of information concerning the instance of software to which 

20 the tag is associated and includes the name of the software, a unique number of the 
instance of software and a hash of the content of the software. The software vendw 
also includes an infiinging software detection mechanism that detects an infringing 
instance of software that is infringing intellectual property rights. The software 
vendor transfers the infiinging instance of software to a gu^an-center so Uiat 

25 usage supervision can be implemented to detect attempted uses of the infringing 
instance of software. 

In an alternative embodiment of this mvention, a software vendor is provided 
which produces at least one instance of software incoiporating a device identifier 
inside a test. The test will be an "if statement" in a typical programming language. 

30 The test comprises the comparison of the incorporated identifier with the identifier 
of the device upon which the software iiistance is to be used. If the incorporated 
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identifier equals the device identifier then the software instance can be used 
normally, otherwise punitive action is taken by the supervising program on the 
device. For added protection, a digital signature of the hash of the software instance 
(including the incorporated identifier) is sent, a second t«st determines whether the 

5 digital signature is authentic, and a third test determines whether the signed value is 
the same as the hash of the software instance. If not, punitive action is taken by the 
supervising program in the device. 

As noted above in the embodiment construction section, a user device is 
provided and includes an input that receives an ir^tance of software and -securely 

10 receives a tag uniquely associated with that instance of software and receives an 
attempt from a user of the user device to access the instance of software. A 
processor in the user device executes a protection program. The protection program 
detects the attempt to access the instance of -software and verifies the authenticity of 
the tag associated with the instance of software before allowing access to the 

15 instanceof software by the user of the user device. The projection program 

deteraiines that a call-up procedure is required as de&ied by a call-up policy and the 
protection program performs the call-up procedure to update the status oTtags-stOTcd 
in the tag table. During the call-up procedure, the protection program sectroly 
transmits the tag table from the user device via an interconnection n>echanism 

20 coupled to the user device and awaits reception of a continuation message returned 
to the user device that indicates an action to be performed for each tag in the tag 
table. In this manner, the user device does not need to be concerned with'settisig m 
usage supervision policy, but rather, merely maintains a policy that iscentr^aedto 
all devices. 

25 For untagged instances of software installed on the user device, the 

protection program detects the untagged instance of software and peiforais a 
fingerprint process on the untagged instance of software and stores tii^erprints 
resulting from the fingerprint process in a fingerprint table on the user device. For 
untagged software, during the call-up procedure, the protection program^ttansmits 

30 the fingerprint table from the user device via an interconnection inechaitism coupled 
to the user device and awaits reception of a continuation message returned 4o the 
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user device that indicates an action to be performed for each untagged instance of 
software stored on the user device. 

For untagged software, the verification program in the guardian-center 
periodically executes a call-up procedure to receive, via an interconnection 
5 mechanism, fingerprints for untagged instances of software. The verification 
program examines each fingerprint received against the fingerprint database ^ 
determine if an untagged instance of software is an infiringing instance of software, 
and if so, the verification program prepares punitive action Tor the user device. If 
the verification program detects a match between a fingerprint in the fingeiprint 
10 database and a fingerprint within the fingerprints received, the verification program 
specifies punitive action to be performed, and the v^Scatipn program transmits a 
continuation message to the user device. The continuation message indicates the 
punitive action to be performed on a receiving user device of the continuation 
message. 

1 5 Another embodiment of the invention provides an authentkation ^ryer that 

accepts instances of software and produces a plurality of tags, one tag per instance of 
software. Each tag uniquely identifies the instance of software to which it is 
associated and each tag includes encoded information concerning the riame of the 
instance of software associated with the tag, a unique number of the instance of 

20 software associated with the tag, and a hash valuei:omputed on the instance of 
software associated with the tag. 

In the method for controlling access to software, a step of 'Ci;eatirig an 
instance of software is performed. A tag is then created that is uniquely associated 
with the instance of software. The instance of software and the tag are then 

25 distributed to a user device. The method then detects an attempt to access the 
instance of the software on the user device and determines if the attempt to access 
the instance of the software is valid by determining a status of tfie^tag that is 
associated with the instance of software to be accessed. 

To create the tags, the method assigns a unique number to the instance of 

30 software and computes a first hash value on the -content of the instance of software. 
A second hash value is computed for &e instance of softwsHs. The ^ond hash 
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value includes a name of the software, the unique number of the instance of 
software, the content of the instance of software, and the first hash value. I^indly, 
the method computes a tag that is uniquely associated with the instance of software. 
The tag includes the name of the software, the unique number of the instance of 

5 software and the second hash value. 

The step of computing a tag can create a digitally signed ^tag by applying a 
digital key signature function of the second hash value to produce a signature hash 
value and including the signature hash value in the tag. This allows secure 
distribution of the tag. A public key encryptira technique can be used to securely 

10 distributing the tag to a software vendor and user device. 

The software may be distributed by obtaining the instance oTsoftware at the 
user device and securely obtaining the tag ^sociated with the instance of software at 
the user device. The user device can detemiine if the tag associated with 4he 
instance of software is signed, and if so, can verify a signature hash value in4he tag 

1 5 and if the signature hash value is verified, the user device can insjtall the software. 

To detect an attempt to access the instance of the software on tfie user device 
the method of the invention includes the steps of invoking a protection program on 
the user device to intercept a user request for access to the instance of^oftware. To 
determine if the attempt to access the instanceof the software is valid, the method 

20 detemiines if a call-up procedure is needed based on a call-up policy. Tbc method 
performs a call-up procedure to verify the authenticity and to tletemiine the use 
policy of the tag associated with the instance of software and updates tag 
information in the user device based upon an outcome of thexall-up procedure. 
Status information associated with the tag is^examined at the usertieyice to 

25 determine if access to the instance of software associated with the tag is valid. In 
this manner, protection to software is provided. 

During the call-up procedure, a tag table storing the tag associated with -the 
instance of software is transmitted fh)m the user device and the aser device awaits 
reception of a continuation message retumed to the user device that indicates an 

30 action to be performed for^ach tag in the tag table. 
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The guardian center receives the tag table including the tag associated with 
the instance of software and examines each tag received in the tag table against a 
tagged software database to ensure that tags in the tag table are in compliance with 
at least one usage supervision policy. The guardian center transmits a continuation 
S message indicating an action to follow at the user device upon detecting an 
attempted access to the instances of software associated with each tag. 

Other embodiments of the invention include a<:omputer readable medium 
encoded with instructions for the above processes, as well as a propagated signal 
transmitted via a carrier over a medium which carries an encoded 4ag table data 

1 0 structure as described above. 

Using these mechanisms, the system of the invention allows a rightful 
vendor/owner of the rights in an instance of software to police those rights* If the 
vendor discovers that the vendor rights are being infringed, such as by diKdyering a 
bootleg, stolen, reverse engineered, modified or disassembled instance oT software 

IS which essentially identical in operation to the vendor produced software, the system 
can police the use of these illegal copies of software. 

The system of the invention at the same time protects a rightful user of 
software from denial of service by dishonest parties who attempt to x^ceate a false 
impression of illegal use of software by the rightful user/owner. 

20 The invention also allows pay-per-use statistics to be tracked at each user 

device for software which is purchased on a per use basis. During the call-i^ 
procedure, the guardian center can determine the use statistics for a pay-per-use 
instances of software and can provide the use information back to the software 
vendor for billing purposes. 

25 As indicated above, the system includes a guardian center that includes a 

tagged software database and a verification program. £very user device must 
periodically communicate with the guardian center via a call-up procedure and 
securely send, for each instance of vendor software installed on that user device, or 
used on the device since the last preceding call-up procediire, the^tag associated with 

30 that instance. Additional data from the tag table, up to and including theeoniplete 
tag table, may also be securely sent by the^up^sing program to the guardian 
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center during a call-up procedure. The call-up procedure may be initiated by either 
the guardian center or the user device. The guardian center's verification program 
authenticates each tag it received from the user device. 

Essentially, the verification program examines each tag and its associated 
5 data received from the user device against the tagged software database to 

authenticate it and to ensiue that the tag is in compliance with at least one usage 
supervision policy applying to the software instaroe with which the tag is 
associated. For example, the verification program may check whether a*tag received 
during a call-up was, at any time since the previous call-up from the same 

1 0 supervising program, in usable status in the calling device's tag table and, 

simultaneously, in usable status in some other device's tag table, such an occurrence 
being a violation of a possible usage supervision policy. The veri&cation program 
securely returns a continuation message to the user device and updates die tagged 
software database, using the tags and the associated information it has received 

IS diuing the call-up procedure. 

When creating an unsigned tag for an instance of software, tiie4ag server 
securely sends the tag to the guardian center and the guardian center's verification 
program stores the received tag in the tagged software database. 

In another implementation, the tag server'sends all newly^ieated ta^ to the 

20 guardian center and the guardian center's verification program stores each received 
tag in the tagged software database. When the rgusoxiian center receives a tag from a 
user device during a call-up procedure, the guardian -center's verification program 
authenticates the tag by searching for it in the guardian centals tagged software data 
base and, if not foimd there, declaring it as not authentic if said tag is an unsigned 

25 tag. If said tag is a signed tag then the verification program authraticates the tag by 
either finding it in the tagged software database or by verifying that said tag has the 
correct fomi and further verifying the digital signature included in the tag. 

The guardian -center's continuation message to a user's device is signed by the 
guardian center and includes identifying data such as a time-stamp, a hash function 

30 value of the tag table or of other data it has received from the useriievice'S 
supervising program dtiring the'current call-up. In addition, the<continuation 
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message contains commands, hereinafter called actions, to the supervising program 
in the user device. 

Examples of actions used by the invention include but are not limited to: 
Instructing the supervising program to (1) allow continued use of a particular 
5 instance of software; or (2) to refixse use of a software instance for a specified time 
period; or (3) to refiise to install or allow use of software having a given name or a 
given list of fingerprints for a specified period of time; or (4) to disable the user 
device for a specified period of time. Actions of types 2 - 4 are sometimes called 
pimitive actions. 

1 0 Upon receiving, dming the cdl-up procedure, the continuation message from 

the guardian center, the user device's supervising program checks the gu^dian 
center's digital signature. The supervising program fiuther checks whether the 
continuation message is for the current call-iq) of this device by comparing hash 
Amotion values or other data present in the continuation message, with hash function 

15 values of portions of the device's tag table or with the hash function value of tiie tag 
table or with other data present in the tag table. 

If the above signature is verified as being authentic and the above 
comparisons produce matches, the siipervising program aDcq>ts the continuation 
message as being the guardian center's response in the cunrentxall-iq) procedure. In 

20 this case the supervising program stores the continuation message in the tag table 
and proceeds to update the status of tags and execute actions according to the actions 
and punitive actions preseait in said continuation message. 

A usage supervision policy can be associated with an individual ta^ed 
instance of software , or with a specific software or type of software, or witii the 

25 entire user device with which the guardian center communicates, or with an 
individual user of the user device with which the guardian center commimicates. 

Examples of usage supervision policies defined by a vendor of instances of 
software include but are not limited to the following and any combination thereof. 
That an instance of software once used on one user device will not be used on a 

30 different user device. That an instance of softw^e not be used or be in usaMe status 
simultaneously on two different user devices. That an instance of software be used 
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or be in usable status simultaneously only on user devices within a specified set of 
devices. That an instance of software be used for no more than a specified number of 
times. That an instance of software not be used after a specified date. That use of an 
instance of software be allowed only if pay-per-use fees for that instance were 

5 transferred to a specified account. 

The methods and apparatus of the invention make it possible ^o enforce any 
usage supervision policy defined by a vendor or consortium of vendors with respect 
to use of an instance or a class of instances of software. 

The guardian center maintains a tag data structure in the tagged software 

1 0 database for each individual tag associated wi A some instance of software on-some 
user device. The tag data structure for a tag is associated with the tag itself and not 
with any particular user device from which that tag was transmitted to the guardian 
center during some call-up procedure. Each tag data structure comprises the tag of 
an instance of software, the name of the software of whidi the iiistance is a copy, the 

1 5 mstance number of the instance of software, a hash function value of the instance of 
software or of portions of that instance, a usage supervision policy associated with 
the instance of software, and a collection of refSsrences to -call-up records, or a 
collection of call-up records, associated with the instance of software. Each caH-up 
record in the said collection of call-up records represents information^conceming 

20 one call-up procedure and may include a call-up time, a header of a tag table or 
some other identifying information transferred to the'guardian<5enter during &e 
call-up procedure, the last call-up time indicating a time stanip of a former -caH-up 
procedure, a hash function value of the tag table traitelOTed to the guardian center 
during the call-up procedure, and the continuation message sent to the user device's 

25 supervising program during the call-up procedure. 

Using data gathered and stored during <:all-up procedures, the guardian 
center can compile usage statistics Tor each instance of software, for such purposes 
as billing for paying per-use for a software instance. 

An untagged instance of software may be installed or used on the user 

30 device. The supervising program detects that the instar^e is untagged and computes 
" fingerprints of selected portions of the untagged instance of^softw^e and stores 
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these fingerprints in a fingerprint table on the user device. The guardian-center, 
according to this aspect, includes a fingerprint data structure. During the above 
mentioned call-up procedure with a user device, the guardian ^nter r^eiv^s all 
fingerprints from the user device for each untagged instance of software installed on 
S the user device. The verification program compares each fingerprint Feceived from 
the user device against the fingerprints in its fingerprint data stiucture to determii^ if 
an untagged instance of software used on a user device is an infringing instance of 
software. In this manner, the invention can detect the use of a software instaiKsetiut 
is a pirated copy of vendor software whose tag has been removed, or a pirated 

1 0 derivative of vendor software. 

If the verification program detects a match between more ttian a^^ecified 
number of fingerprints in the guardian center's fingerprint data structure and the 
fingerprints received fix)m the user device, the verification program <:an^speci1fy a 
punitive action or actions in the continuation message returned to the user device. 

15 According to one such punitive action, a user device^an be disabled for a specified 
period of time, if detected by the guardian x:enter as using untagged infringing 
software. 

in another example, a punitive action may specil^ that the untaxed ixistai^^ 
of software associated with a fingerprint that was matched to a fingerprint in the 
20 guardian center's fingerprint data structure, should be disabled. 

The fingerprint data structure at the guardianoenter is constructed by having 
software vendors who detect that infiinging software is being distributed or used as 
untagged software, send a copy of such untagged infiiii^ng software to the guardian 
center. The guardian center computes fingerprints of portions of tfaisxopy of the 
25 infiinging software and incorporates and stores these fingerprints in the fingerprint 
data structure. 

Protection against infringement of vendor's rights in software is also 
provided by fingerprinting selected portions of any instance of softwjffe, tagged or 
untagged, used on a user device and storing these fingeiprifits in the device's 
30 fingerprint table. As before, the fingerprints in the fingerprint table are isent by the 
device's supervising program to the guardian c^ter during^xecution of a^all-up 
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ptx)cedure and the guardian center's verification program searches for matches 
between the received fingerprints and fingerprints in the guardian center's fingerprint 
data structure. This aspect of the invention protects against m&ingement on a 
legitimate vendor's rights by a pirating vendor who makes an infiinging version of a 
5 legitimate vendor's software and distributes tagged instances of the said infiinging 
software. 

A tag table data structure encoded on a device-readable medium accessible 
by the user's device. If any tagged software has been installed on the device or irsed 
by the device, the tag table data structure includes at least one tag that is uniquely 

1 0 associated with one instance of software and includes at least one tield associated 
with the tag in the tag table. The field indicates a usage supervision status for the 
one instance of software associated with the tag and may also indicate use statistics 
for the one instance of software associated with the tag. The tag table data structure 
may also include a tag table header that uniquely identifi]^ the tag table and that 

1 5 uniquely associates the tag table with one tiser device or with one usct device's 
supervising program. The tag table header includes information concmiing user 
device use statistics and includes a continuation message. The continuation niessag€ 
indicates possible actions and usage supervision status for an instance of software 
associated with a tag. 

20 A software vendor provides a software development process^t creates 

instances of software having a name and havmg software^dntmt Eadi instance of 
the vendor's software is accessible or usable only in conjunction with a unique tag 
that is associated with that instance of software. The tag is a unique unforgeable 
collection of information concemirig the instance of software with which the tag is 

25 associated and mcludes the name of the software, a unique identifying number of the 
instance of software and a hash iiaiction value of portions of the content of the 
software. The software vendor also comprises an infringing software-detection 
mechanism that detects an instance of software that is infiinging on die vendor's 
intellectual property or other rights. The software vendor transfers a copy of the 

30 infiinging instance of software to a guardian center so that the methods of the 
present invention can be^employed by the ^guardian center to det^ect attempted uses 



wo 00/72119 



PCT/USOO/11821 



-35- 

and access to the infringing instance of software, and when detected, to impose 
punitive actions on the user device involved. 

A user device includes an input port that receives an instance of software and 
securely receives a tag uniquely associated with that instance of software. The 
5 device also receives requests to install or to use the instance of software. A proceissor 
in the user device executes a supervising program. The sup^ising program detects 
the attempt to install or to use the instance of software and verifies the authenticity 
of the tag associated with the instance of software or the statiis associated with the 
tag, before allowing installation of or use of the instance of software. From time to 

10 time the supervising program determines that a-call-up prooediu^ isToquit^d as 
defined by a call-up policy, and the supervising program p^orms the call-up 
procedure to update the status of tags stored in the tag table. 

During the call-up procedure, the supervising program securely transmits the 
tag table from the user device via an interconnection mechanism coupled to the user 

1 5 device and awaits reception of a continuation message returned to the usa device 
that indicates actions to be performed for each tag in the tag table, in this mamier, 
the user device does not need to be concerned with setting a usage supervision 
policy, but rather just enforces a usage supervision policy that is conunon to all 
devices or vendor's usage supervision policies associated witfi software instances 

20 distributed by those vendors. 

Call-up policies implemented by a user device's supervising program may be 
associated with the device, with a particular instance of software used on the^aid 
device, or with a particular user of the device. Examples of call-up policies include, 
but are not limited to, the following. The latest time for the next call-i^ for a user 

25 device may be determined by a combination of the time^elapsed since &e last 

call-up, the number of tunes that the device was turned on since the last call-up, and 
the total time that the device was used since the last call-up. Similarly a call-up 
policy associated with a tag or with the instance of softw£u-e associated with 4hat tag 
may determine the latest time for the next call-up as a fiuKtion of the time elaj^ised 

30 since the last call-up, the number of times that the inst^ce of so^are was i^d, 
and the total time that the instance ofsoftware was used on die devioe. Another 
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call-up policy associated with an instance of software may specify execution of a 
call-up every time that an attempt to use the instance of -software on the user tievice 
occurs. 

The invention enforces the behavior of a user device and its supervising 
5 program to conform to a call-up policy applicable to the said user device or to any 
tag in the said device's tag table, by having the supervising program execute a 
specified punitive action in case of failure to call-up the guardian center and to 
receive from the guardian a continuation message before the4£^st time for<aU-up 
specified by the call-up policy. The invmtion ensure that a user device's 

1 0 supervising program accept a mcssa^ received during execution of a call-up 

procedure as the guardian center's continuation message for this<:all-up, only if the 
said message is in fact sent by the guardian center as the *continuation message for 
the said call-up. This is achieved by the guardian*center signing its continuation 
message and including in it identifying data uniquely linking it with present caU-i^ 

IS by the user device's sup^vising program, as explained before, and by the 

supervising program verifying the said signature and the said identifying data. The 
above provisions of the invention prevent a user or a user's device from 
circumventing the invention's protections by either not ^alling-up ^e^sffdian 
center according to a call-up policy or by attempting to^reate or use an improper 

20 continuation message. 

Examples of the above mentioned punitive action on a usct device executed 
by the said device's supervising program upon failure to Gonform to a call-up policy 
include, but are not lunited to, the following. The :sxq)ervising program may disable 
the device from any activity, except for executing axail-up procedure, for a specified 

25 length of time. The device may disable use of an in^ance of software if aeall-up 
poUcy associated with that mstance of software was violated, for a specified l^igth 
of time. 

For untagged instances of software installed or used on the usct device, the 
supendsing program detects the untagged instance of^oftware and p^femis a 
30 fingerprinting process on the untagged instance of software and stores fingerprints 
resulting from the fingerprinting process in a fingerprint table on the user-device. 
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For untagged software, during the call-up procedure, the supervising prosc^m 
transmits the fingerprint table from the user device via an inter<:onnection 
mechanism to the guardian center and awaits reception of a continuation inessage 
from the guardian center the to user device, said message indicating an action or 
5 actions to be performed for each untagged instance of software stored on the user 
device. 

For untagged software, the user device's supervising program pwiodically 
executes a call-up procedure to send, via an interconnection mechanism, fmgerprints 
for untagged instances of software. This call-up procedure may be initiated by the 

10 user device's supervising program or by the guardian center. Tlie guardian center's 
verification program examines each fingerprint received against the guardian 
center's fingerprint data structure to determine if an untagged instaiioe of software is 
an infiinging instance of software, and if so, the verification program prepares 
punitive action for the user device. For example, if the verification program detects a 

1 5 sufficient niraiber of matches between the fingerprints associated with some 

specified software in the fingerprint data structure and the fingerprints associated 
with untagged software in the user device, the verification program specifies 
punitive action to be performed, and the verification program transmits a 
continuation message to the user device. The continuation message indicates the 

20 punitive action to be performed on the user devibe receiving the -cominuatipn 
message. 

The aforementioned tag server generally acGq}ts a copy of specific sdftwais 
and produces a plurality of tags, one uniquetag per instance of said software. Each 
tag uniquely identifies the instance of software with which it is associated and^each 

25 tag comprises information concerning the name of the instance of software 

associated with the tag, a unique number of the instance of software associated with 
the tag, and a hash function value combining Uie said name of software, the said 
unique number of the instance of software, and a hash function value^mputed on 
the contents of the software associated with tl» tag. 

30 Li the method for supervising the usage of scrftware, the stq) of cheating an 

instance of -software is p^ormed as noted above. A tag is &ent:reated4}iat is 
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uniquely associated with the instance of software. The instance oif software and the 
tag are then distributed to a user device. The method then detects an attempt to use 
the instance of the software on the user device and determines if the attempt to use 
the instance of the software is allowed by determining a status of the tag that is 

5 associated with the instance ofsoftware to be used. 

To create the tag, the method assigns a unique number to the instance of 
software and computes a first hash ftmction value on the^content of the instance of 
software. The method then computes a second hash function valuexombining the 
name of the software, the unique number of the instance ofsoftware, atid the first 

10 hash function value. Finally, the method forma a tag tfiat is uniquely associated with 
the instance ofsoftware. The tag includes the name of the software, Ae unique 
number of the instance ofsoftware and the second mentioned hash ^Junction value. 

The step of creating a tag can further produce a digitally signed tag by 
applying a digital signature ftmction to the second mentiomd hashlunction value 

1 5 included in the tag and including the signed hash function value in the tag. 

Software may be distributed by having the user device obtain an instance of 
software at the user device as well as the tag associated with the instance of 
software. The user device can deteraiine if the tag associated with the instance of 
software is signed, and if so, can verify hash function values in the tag and the 

20 signature in the tag. If the said verifications succeed, the user device'csm install or 
use the instance of software. 

To detect an attempt to access the instance of the software on the user^vice 
the method of the invention includes the steps of invoking a supervising prog?^ on 
the user device to intercept a user request tor use of the instance ofsoftware. To 

25 deteraiine if the attempt to use the instance of the software is valid, the method 
deteraiines if a call-up procedure is needed based on a<:all-up policy. The method 
perforais a call-up procedure to verify the authenticity and to deteraiine the usage 
supervision policy of the tag associated with the instance ofsoftware and iq>dates tag 
information in the user device based upon an outcome of the call-up prdcedme. 

30 'Status information associated with the tag is examined at the user device to 
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determine if use of the instance of software associated with the tag is ailowable. In 
this manner, usage supervision of software is provided. 

During the call-up procedure, a tag table storing the tag associated with the 
instance of software is securely transmitted from the user device to a guardian -center 
5 and the user device awaits reception of a continuation message returned to the user 
device that indicates an action to be performed for each tag in the tag table. 

The guardian center receives the tag table including the tag associated with 
the instance of software and examines:each tag received in the tag table against a 
tagged software database to ensure that tags in the tag table are incompliance with 
10 at least one usage supervision policy. The guardian c^ter b^suismits a continuation 
message indicating an action to follow at the user^vice upon detecting an 
attempted use of the instances of software associated with each tag. 

Other embodiments of the invention include a computer iieadable medium 
encoded with instructions for the above processes, as well as a propagated signal 
1 S transmitted via a carrier over a medium which securelyxairies a tag table data 
structure as described above. 

Using these mechanisms, the system of the invention allows a rightful 
vendor/owner of the rights in an instance of software to police thb^e rights, if the 
vendor discovers that the vendor rights are being infiinged, such as by discovering a 
20 bootleg, stolen, reverse engineered, or modified instance of software which is 
essmtially identical in operation to the vendor produced software, tiie system^can 
police the use of these illegal -copies of software. 

The system of the invention at the same time prote^cts a rightful user of 
software &om denial of service by dishonest parties who attempt to^reate a false 
25 impression of illegal use of software by the rightfiil user. 

The invention also allows pay-p^-use statistics to be ^tracked at each user 
device for an instance of software which is purchased on a per use basis. Dimng the 
call-up procedure, the guardian^enter can determine the use stathtics for a 
pay-per-use instance of software and can provide the i^e information biack to the 
30 software vendor for billing purpo^. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, features and advantages of the invention 
will be apparent from the following more particular description of preferred 
embodiments of the invention, as illustrated in the aeconn^anying drawings in which 
5 like reference characters refer to the same parts throughout the different views. The 
drawings are not necessarily to scale, emphasis instead being placed upon 
illustrating the principles of the invention. 

The foregoing and other objects, features and ^vantages of the invention 
will be apparent from the following more particular description of pre&ir^d 
10 embodiments of the invention, as illustrated in the accompanying drawings in which 
like reference characters refer to the same parts throughout the diffeFent views. The 
drawings are not necessarily to scale, emphasis instead being placed upon 
illustrating the principles of the invention. 

Figure 1 illustrates an information system configured aiK:ording to one 
15 embodiment of the invention. 

Figure 2 illustrates a more detailed view of the flow of information within a 
system configured according to one embodiment of the inyention. 

Figure 3 A is a flow chart showing the processing steps pefformed to creaitea 
isigned tag for an instance of software according to one embodiment of the mventidn. 
20 Figure 3B is a flow chart showing the processing steps peifomied tOH:reate 

an unsigned tag for an instance of software according to one embodiment of the 
invention. 

Figure 3C is a flow chart showing the processing steps p^ormed io cvcste 
an unsigned tag with fingerprints for an instafice of software accwdirig to one 
25 embodiment of the invention. 

Figure 4 illustrates the architecture of a user device configured iK:cording to 
one embodiment of the invention. 

Figure 5 is a flow chart showing the steps peffor^ned to install vendor 
software on a user device according to one embodiment of the invention. 
30 Figure 6 illustrates the contents of a tag table Wording to one emtbodmient 

of the inventioa 
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Figure 7 is a flow chart showing the processing steps performed to install 
untagged software on a user device according to one embodiment of the invention. 

Figure 8 is a flow chart showing high level processing steps performed by 
the system of this invention to implement software usage supervision according to 
5 one embodiment of the invention. 

Figure 9 illustrates the architecture of a guardian center corifigUFed according 
to one embodiment of the invention. 

Figure 10 shows the contents of a guardian center record for an instaitoe of 
software according to one embodiment of this invention. 
10 Figure 1 1 is a flow chart of the processing p«formed by a guardian*center, 

according to one embodiment of the invention, when a vendor detects software that 
infringes on the vendor's rights in some of his software. 

Figure 12 is a flow chart of the processing stq)s peiforaied by a tfser device's 
supervision program when executing a call-up procedure to 4he guardian x:enSer 
15 according to one embodiment of the invention. 

Figures 13A and 13B show a flow chart of the guardian<5enterx:all-up 
processing steps that are performed according to one embodiment of the invention. 

Figure 14 shows the data structures used in an^bodimrat oTthe invention 
without guardian center caU-iqps. 
20 Figure 15 is a flow chart of processing steps perft)nned by a user device's 

supervision program in an embodiment of the invention without .^guardian center 
call-ups. ' 

DETAILED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates an example information system 109<x)nfiguFed according 

25 to the invention. Figure 1 is provided to describe flie main cong)onent dements of 
the invention and to generally describe their operational interrelationships within tiie 
context of the invention. Information system 109 includes a conmiunication 
network 100 which interconnects a plurality of user devices 104 through 107 md 
one or more software vendors 101, tag servers 102, and guardian Hsenters 103 <one of 

30 each ^hown in this example embodiment). The invention is intended to supavise 
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usage of information (not shown) which is used with the assistance of one of the 
user devices 104 through 107, so as to prev€nt a usw device from installing or using 
any information in a manner infringing on intellectual propwty or otiier rights of an 
owner or distributor or vendor in that information. 

5 Information, the use of which is supervised by the invention for the purpose 

of protecting intellectual property or otiier rights, may be any type of «iectronicdly, 
magnetically, optically or otherwise represented information. Examples of 
information are axomputer software application or program, data, a web page or 
web site, a downloadable application program such as a Java applet, m ^electronic 

1 0 book, images, video, recorded music or olher infonnation on a compart dfek, 

magnetic disk or tape, and so forth. Genea-aliy, the usage of any type of information 
that is used with the assistance of a computer orother device .(for example, user 
devices 104 through 107) can be supervised and Uierights in that ihfonn^on-can 
protected by the invention, regardless of what the information is or what the actual 

1 S physical medium i^on which the information is stored or transmitted. 

Any such information, as well as any other type of information recognized 
by people skilled in the art to be protectable by tiie invention will be r^ssvedio 
hoeinafter as software. Any individual -copy of a specific wftware, such as for 
example, a copy of a specific application pro-am or a specific book or video, will 

20 be hereinafter referred to as an instance of software <w a«)ftware iiistanoe. An owna- 
or vendor or distributor of software will be hereinafter«lfeH«d'to as a vendor or 
software vendor. The installation of, use of, execution o^ reading of,-<iisplayingof, 
playing of, viewing of, printing of, copying of, transnuttiiig of, or aceess^o an 
instance of software by use of or on a device will haeinaifier be-refened to as use of 

25 that instance of software. 

User devices 104 througji 107 may be any type of device that is employed to 
use software, including but not limited to a con^uter system, book reader, music 
player (e.g., tape player, compact disc^layer, mini-disc player), video cassette 
recorder, Digital Video Disc (DVD) player, special purpose devices and so forth. 

30 Any such devitee will hereinafter be referred 'to as a user device or just -device. 
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In a preferred embodiment of the invention, the user device <i^e., one of 104 
through 107) is a computer system and the information is a computer application 
program or data and the invention provides a mechanism to supervise usage of the 
software or data by a user of the computer system so as to prot-ect vendors' rights in 

5 that software. 

The communication network 1 00 may be any type of communications 
mechanism which enables the component elements of the invention (101 through 
107) to exchange information such as messages or signals. Examples of 
communication network 100 are a computer network such as the Internet, a Public 

1 0 Switched Telephone Network <PSTN), a wireless network (i.-e., axeliular netwcwk), 
or other type of computer or information network. 

According to the general operation of the invention, the software vendor 100, 
and of whom there may be more than one, produces and distributes instances of 
software (not shown in Figure 1). The instances of softwsure can be installed or used 

IS on each user device 1 04 through 107 on which the software is intended to be used 
By way of example, if the software is in the form of music on tape, Ae tape can be 
installed on user device 105, which is illustrated as a tape player in the figure. The 
software may be physically or manually transported trom the software vendor 101 
and installed on a user device 104 through 107 (i.e., as in the case of a physical 

20 t^e), or the software may be electronically dissemin^ed and installed via the 

communication network 100 using known data transport mechanisms ti.e., as in the 
case of downloading an instance of software fcom the software vendor 101 to a user 
device 107). 

The tag server 102, which is a computer system coupled to the 
25 conununication network 1 00, creates or generates a tag (not shown m figure 1 ) for 
each instance of software. Typically, all instances of a specific software are 
identical. Preferably, a single tag is uniquely associated with a -single instance of 
software produced by the software vendor 101 . The tag server 102 has access to the 
software created by the software vendor 101 preferably via the private 
30 communications path 108 and the tag is preferably created based on the contents of 
the software, the name, and other information generated by the tag server ..(such as an 
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instance number) or provided by the vendor. The tag server 102 can abo obtain 
software for tagging by using the conununication network 100. 

Alternatively, there may be a single software vendor It) 1 selling a variety of 
instances of different sofbvare, and there may be a single tag server 102 and one 
5 guardian cent^ 1 03 for that single software vendor 101. The tag server 102 and 
guardian center 103 may be part of the software vendor 101 {i.e.,icontained within 
the same computer system). Alternatively, there may be aconsortium of software 
vendors 101 which rely on and which are served by one or mor« commonly shared 
tag servers 102 and guardian centers 103. 

1 0 Once a tag is created for an instance of software, the tag is securely 

disseminated to one of the user devices 104 through 107 that contains the installed 
corresponding instance ofsoftware for that tag. Secure tag (tissCTiination preS^rably 
takes place electronically via the communication network 100, for example, by use 
of the TETS IPSEC or the NETSCAPE SSL protocols f or secure communicatipn. 

1 5 Manual secure tag dissemination may be used by the^ystem bf the inv-ention as 
well. An example of manual secure tag dissemination would be to distribute the tag 
within a tamper proof package containing the tag and possibly also the associated 
instance of software. 

Once an instance of software and &e-tag associs^d witfi that instance of 

20 software are installed on a user device 104 thaou^ 107, a user<not^hown) of tiiat 
device or the device itself can attempt to use the softwiffe. However, before use of 
the instance of software is allowed, the supervising pro^^ tnot^hown) in the user 
device 104 through 107 that contains the software v^lies that a valid tag -exists 
within the user device for the instance of software guested by the user or by the 

25 device. Periodically, •each user device communicates with the guardian center 103 
via communication network 100 to ensure that all tags associated with the instances 
ofsoftware on that user device are valid and are being used incompliance with a 
usage supervision policy. 

In other words, the invention ensures that use by means of a device of the 

30 instance(s) ofsoftware is link^ed to the presence of valid associated tags which m« 
periodically .validated and checked for usage^harac^enstrcs by having the user 
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device communicate with the guardian center. An example of an enforced usage 
supervision policy is that a tag is present on only one device, The determination of 
whether or not a user device 104 through 107 can use an instance of software is 
based on a tag processing procedure called a call-up (explained in -detail later) that is 
5 performed between the user device and the guardian center 1^03 . 

Before further description of detailed embodiments of the invention are 
provided and explained. Table 1 below provides a glossary of^erms to aid in 
understanding the various elements associated with the invention: 



Table 1: Definition of Tenns 



TERM 


DEFINITION 


ACTIONS 


Action commands included in a<:ontinuation 
message CM that describe which software on 
&e device may be used, and specify punitive 
actions for detected improper use of vendor 
software. 


CALL-UP_POUCY_SW 

i 


An optionally specified call-up policy 
associated with specific software S W or with a 
specific instance of software ®?ST_SW, said 
policy dictating when a J 
Device must p^orm a call-up procedure 
with the guardian center. 


CM 


A Continuation Message'sent fix)m a^guardian 
center to a user device indkating the cuirent 
state of usage permissions for instances of • 
software in the user device. 


DEVICE IDENTIFIER 


A method to identify a device-eitiier through a 
hardware identifra- or by using the supervisor 
identifier ID(SP). This identifier is used in an 
embodiment in which -each softwsure instance 
incorporates a device identifier in a test. 


FP(X) 


A fingerprint computed by a fingerprint 
function '(e.g., a hash function) on an input 
string X. 


oc 


Guardian Center 
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HASH_INST_SW 


A hash function value computed on 
HASH^SW, NAME, NUM_INST_;SW and 
possibly other fields. 


HASH_SW 


A nasn nincxioii vaiuc compuicu uii ui^ 
contents of software SW. Every instance ofSW 
has the same value of HASH^SW. HASHJSW 
is another notation for HASH(SW). Sometimes 
HASHES W is the result of a hash mnction 
value only on portions of the software. 


ID(X), lEKSP) 

* 

: 


A unique identifying number optionally 
associated with an object X. For example, 
ID^Supervising Program) is the identiikation 
numberofAe supervising program con^jute^ 
wnen a aevice is nrsi lumea on uy voiiiLiiiuii'^ 
the time when the tum-on «vOTt occurred and 
possibly other information, including 
information provided by the Guardian Center 
and the values of one or more memory 
locations. 


INF_SW 


An unauthorized copy or derivative of a 
vendor's software SW that is infiinging on 
intellectual property or other rights as 
established by a vendor. It is assumed that the 
vendor detects the distribution of the ihfiinging 
soitware anu nas a legai rigni lo prcvcui 
infringing uses of that software. Infringing 
software includes software whose tag has been , 
inappropriately removed, whose tag has been 
altered, or whose device identifier test, if any, 
has been altered. 


INST_SW 


A specific instance (copy) of specific software 
selected fix>m the«itire set of instances of the 
software SW. All instances of SW are 
identical. 


NAME_SW 


A name for the specific software SW. 


XTf TKA TXTCT 

N U M_1IN o 1 _o W 


A uniaue number associated with a specific 
instance of software INST_SW, The number 
can be any mixed sequence of digits, characters, 
letters or symbols or any other patt«n. The 
same^enerality applies to tiie above identify 
ID(X). 
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POLICY( TAG INST SW) or 
USAGE SUPERVISION 
POUCY 


Policies and rules prescribed by a software 
vendor or other organization with respect to the 
protection of intellectual property and access 
rights or pay-per-view use limitations 
associated with software. The pohcies and rules 
may depend on the particular instance of 
software. The POLICY(TAG^INST^SW) is 
enforced by the guardianiDenter GC and the 

ciin^rvicifi<y nrno ram 


SP, SUPERVISING 
PROGRAM 


Supervising Program. A program integrated 

intft 51 iic^r rf^vii*^ thAt rtrnvid^^ the nvechariisms 

described h^ein which provide usage 
supervision for instances of ^ftware on the 
user device. 


PRIVATE_KEY_X 


A private secret key used by X for producing 
digital signatures. 


PUBLIC_KEY_X 


A public key used by a recipient of data 
purported to be digitally signed by X, to check 
and authenticate the signature. 






SIGN_X(M) 

4 

A 


A digital signature by X on a message M, 
having the following propwties: (1) only X-can 
have produced SIGN_X{M); (2) the recipient of 
the digital signature can verify that X has 


SPARSE_SET 


A sparse, swret set of numbers &om which, in 
one embodiment, unique instance numbos are 
chosen for instances of all software. The 
instance numbers may be prodtx^ed by a 
physical process. 


SPARSE_SET_SW 


A sparse, secret set of numbers from which, in 
one embodiment, unique instance nimibers 
NUM_D^ST_SW are chosen for instances of 
one specific software S W. So, an instance of 
software X <:ould have the same instance 
number as an instance of software Y. The 
numbers may be produced by a physical 
process. 


SW 


Specific vendor software protected by the 
invention, e:g. the<:ode of software named 
Spread. 
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TAG_INST_SW 


A unique unforgeable signed or unsi^d tag 
associated with a specific instance of softwsEre 


TAG TABLE 


A table or file stored in a devieex:ontaining 
information related to tags associated with 
instances of software as well as information 
relating to the use or usage sup^vision of 
software instances on that device. 


UNTAGGED_SW 


Software which does not have an associated tag 
TAGJS W and which a user attempts to install ^ 
or iise on a user device. E.g., shareware or 
freeware or user created software. 






VRP 


Verification Program in the Guardian Center 
<jC. 



Detailed Definitions for Technical Terms: 

Certain embodiments of the invention are complex in nature. As such, other 
supporting definitions are provided below for some of the technical ^mns used by 
certain embodiments of the invention: 

5 1 . A fingerprinting or hash fimction F: a mathematical function for mapping 

data X to smaller data F{X) such that if X and Y are unequal, then it is highly likely 
that F(X) and F(Y) are unequal. As an example of a hash function, X may be a 
sequence of bytes. In addition, there is a number p which is a pre&rably randomly 
chosen, but henceforth kept fixed, 64 bit prime number. The sequence X^f bytes is 

10 viewed as a number (written to the base 256, wh^ the bytes are the digits of that 
number) and F(X) = X mod p. Thus the value F(X) is a 64 bit string, no matter how 
large X is. 

2. An unaliasable hash fimction H: a fing^ririting fimction having the 
further property that given X, it is easy to <:ompute H(X), but it is intractable to 
15 produce anOCI^such that H(X)=H(X') and X and X' are difi^ 
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' 'intractable" means that the computational time required is generally understood to 
be exponential or practically unfeasible in the size of X, according to the present 
state of the art. An example of an imaliasable hash function is 

3. Use of an instance of software: installing, using, executing, running, 

S connecting with, reading, otherwise retrieving from a storage medium or modifying 
a storage medium, displaying, playing, viewing, printing,, copying, transmitting, or 
accessing to an instance of software by use of or on a device. 

4. A portion of an instance of software includes all of fee text or data of that 
instance or a sequence of parts of the text or data of that instance of^oiftware. The 

1 0 parts need not be contiguous and may overlap with one another. 

5. Fingerprinting process: given a sequence of locations in an airay of data, a 
computation of some function value on the values of those loications. for -example, if 
locations 16, 32, and 64 have values 3, 4, and 17 re^ectiyely, then a fingerprinting 
process computes a function of 3, 4, and 17. This function may simply be the list of 

1 5 those values (the three numbers in this example) or may be a ha^ fimction x>£ the list 
of those values. In another example, the locations may be i_l to j_l , i_2 to j_2, \xp 
to ijn to j_k. A fingerprinting process may compute a hash tunction value of -each of 
these k subsequences of the array and list the k^omputed values. 

6. Fingerprint checking: a method for<:omparing two sequences of 

20 fingerprints. This invention uses two kinds of fingerprint checking: same-location 
fingerprint checking and general-location fingerprint checking. In both forms of 
fingerprint checking, a list of fingerprints is computed based on the values in aiist of 
lists of locations. For example, suppose there are three fingerprints in the listfl, f2, 
and D and fl is computed from the values in locations 10, 20, 30, and 40, S is 

25 computed from the values in locations 30 and '60, and f3 is=computed from the 

values in locations 100 and 200. Let us^all ttiis4ist the Send List. In both forms of 
fingerprint checking, the receiver of the SendListxomputes the ■fingeiprint list based 
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on the values at the same location lists as the sender. This lingerprint list is^^alled 
the Receive List. 

In same-location fingerprint checking, a match is declared if each •element of 
Send List is equal to the corresponding element of Receive List. That is the first 
5 element of Send List equals the first element of Receive List, the second -element of 
Send List equals the second element of Receive List, and so on. 

In general-location fingeiprint checking, a match is declared if there is a 
sufficiently large number of common elements in Send List and Receive List 
regardless of location. How many is sufficient may depend on policy c(msidmtions 
10 and on the length of the data text from which the fingerprints dare taken, defined by a 
parameter k. If k is 50 bytes, for example, then as few as one or a small number of 
matches may be sufficient to establish that a Device J^ist is likely to r^resent the 
same software as a list in the Guardian Center's i^ingerprint Data Strucuire l^igure 9, 
137). Furthermore, certain matches may be given more weight than others, so fewer 
1 5 matches of higher weight may be sufBcient 

In addition to sending the Send List of fingerprints, the sender may send the 
list of location lists whose values produced Send List. This permits the fingerprints 
to be calculated to depend on an unpredictable random process. 

7. Unforgeability: a tag is unforgeable if it ist:oniputatidnaily iiifeasible for 
20 an adversary to produce a valid tag without knowledge of the sec^t information 

used by the Tag Server.(Figure 1, 102) to produce 4ags upon a vendor's iequest. This 
invention uses digital signatures {Figure 3 A) and sparse sets figure 3B and 3C) as 
two. preferred ways to achieve unforgeability of tags. 

8. Secure transmission: a way of sending a value X such &at only the 

25 intended recipient can see X, though other agente may observe the network protocol 
or see the package by which X is transpwted. A sealed envelope delivCTed by a 
reliable courier is one way to securely transmit the contoitsof an envelcq>e. Sending 
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a message by use of the TETS IPSEC or the NETSCAPE SSL protocols for-secure 
communication, is another way to ensure secure transmission over the 
communication network (Figure 1, 100). 

9. Event history: is a timed record of all attempted uses, siwcessfiil uses, 
5 duration of uses, and/or other events such as power-ups associated with a tag table. 
It is unlikely for two devices to have the same event history, even if they have the 
same software instances and the same identifiers. An event history may be based 
upon a record of use of a particular device by one or more users over time. 

Returning now to a discussion of the figures. Figure 2 provides a more 

1 0 detailed illustration of the architecture of the system 109 xonfigured according to the 
invention. Figure 2 will be used as an outline for the overall description of the entire 
operation of the invention. Throughout this description, reference will be made to 
other figures describing in more detail each aspect of diis invention. 

In operation of the system 109, instances of software '0NST_SW) 111 

15 through 114 Oabeled as SWl. SW2, SW3, SW4) are created by thesoftware venddr 
101 and stored in vendor storage 1 10. There may be more than one software vendor 
101. Examples of software vendors 101 are publishing houses (creating 
reproducible performance recordings or electronically readable books), computer 
software developers (creating computer software application programs), data 

20 collection companies (creating databases of information), individual pro^iammers, 
and so on. The software (SW) produced by software vendor LOl represents actual 
software content (SW), which may include information, data or code. The^software 
(SW) may have an associated name (NAMEJSW) which is typically assigned by 
the software vendor 101 . Each instance of software (INST_SW) 111-1 14ean be 

25 thought of as a separate physical xiopy of the named softwaietSW). That is, each 
instance of software (INST_SW) for particular software '<S W) is merely a copy of 
that software (SW) having the same name (NAME_SW) and the same^ode, data or 
other informational content. 
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By way of example, if a word processing application program is created by 
the software vendor 101 and is given the name (NAME_SW) "Write", the binary or 
executable code, data or other information that comprises the Write program is 
termed software (S W). Each individual copy of the Write software <SW) (e.g., -each 

5 disk containing a copy of the program) is a distinct instance of that software 
(INST_SW) but has the same software content (SW). Thus in Figure 2, -each 
instance 111-114 may contain the same software content (SW), in which case-each 
instance 111-114 would have the same name (NAME_SW), or, -each instance 
1 1 1-1 14 may be representative of a copy of different software (SW) '(i.€., diifferent 

1 0 data, code or xAher information) and the name of -each instance j(NAME_S W) 
1 1 1-1 14 that has different software content (SW) would typically be diSerent. 

The tag server (TS) 102 creates, upon the vendor's 101 4-<equest, anmique 
unforgeable tag (TAG_INST_SW) 120 for each instance of software 111-1 14. Jn a 
preferred embodiment of die invention, a single unique tag is pFq)aredfor an 

1 S instance of software and is associated with that instance. In otiier embodiments, 
multiple imique tags may be associated with one instance of -software, but 
preferably, two different instances of software do not share a comihon associated 
tag. 

In order to create the requested tags, the TS lOa-^igure 1) obtains^igures 
20 3A, 3B, & 3C, step 150) one copy of each specific software for instances of which it 
will create tags. For example, it may have one copy of "Write 7.2" -whesK Write 7.2 
is a release or version of the program family Write. t3en«^ly, a tag 120 is a unique, 
unforgeable sequence of data bits that is associated with a particular instance of 
software (INST_SW) (i.e. one of 1 1 1-1 14). As will be explained, according to 
25 embodiments of the invention, a user device 104 is unable to use an instance of 
software 111-114 without first examining a valid tag 120 associated wi^ that 
instance of software 1 1 1-114. 

Tags 120 for instances of software 1 1 1-1 14 are preferably stored in a tag 
table 210 on a storage device 200 that is coupled to or that is inte^ally part of the 
30 user device 1 04. An instance of software 1 1 1 - 1 14 -can be used on a user (tevice 104 
only by referoice to a tag 120 associated with diat instance of software (one of 
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1 1 1-1 14) which is stored in the tag table 210, and only if the associated tag 120 for 
that instance 1 1 1-1 14 has a usage status (Example Tag Table shown in Figure 6, 
with Usage Status indicated in colunm 2) allowing use of the software instance on or 
by the user device 104. That is, certain specific software includes the indication that 
5 it can run only if a tag for an instance of that software is present. <A pirate may 
remove this indication in which case the protection mechanisms for untagged 
software, detailed below, will apply.) In this manner, aspects of the invention allow 
and provide control over the use of software in<«rtain embodiments by requiring a 
valid tag specifically associated with that instance of software to be present on the 

10 user device 104. 

As will be explained fiirther, the ability of components in a system 
configured with the invention to track and manage tag creation, validation, and 
enforcement provides unique advantages over prior art systems Tor software usage 
control. Before fiirther discussions of the remaining components of the system 109 

15 in Figure 2 are provided, details of tag^reation will be discussed. 

Figures 3A» 3B, and 3C are flow charts showing preferred embodimmts of 
the processing steps p^ormed during the tag creation process within the tagservor 
102 configured according to the invmtion. Since the figures are similar, many of 
their step numbers are the same and the two ^gures will be explained 

20 simultaneously. 

In step 150, the tag server 102 obtains fi^om its local storage a copy 1 1 1-114 
of named software (NAME_SW, SW) to be tagged. In addition, the tag server 1Q2 
obtains a request for a tag (Figure 2) from the vendor 101. in step 15 1 A (Figure 3 A) 
and 151B (Figure 3B) and 151C (Figure 3C), the tag server 102 generates a unique 

25 number (NUM_INST_S W). In step 15 1 A in Figure 3 A, the number is^imply 
unique. However, in step 15 IB in Figure 3B and 151C in Figure 3C, the unique 
number (NUM_INST_S W) is selected firom sparse sets 1 1 8 (Figure 2). 

Sparse sets 1 1 8 (Figure 2) are sets of secret numbers fi-om which instance 
numbers (NUM_INST_SW) are chosen for instances of named software 

30 (NAME^SW, SW). Preferably there are relatively few such numbws compared 
with the available range of numbers j[e.g. if there are 100 million instances of a 
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particular softwa«, and more than 1 0 billion billion possible numbers in the -range 
defined by 64 bits). As such, flie sets 1 1 8 are referred to as sparse. 

Sparseness makes it difficult for an adversary or software piRrte tO'genwate a 
valid instance number. There may be one sparse set for ail software, or a different 

5 sparse set for each specific software defmed by aset of related instances. In the 
preferred embodiment one sparse set 1 18 is used as a source of instance nunAers for 
all software. However, having a separate sparse set H 8 for>each specific software 
may permit simpler distributed management of instance number generation. 

For example, there may be a sparse set of numbers 1 18 (SP ARSE_^ET_SW) 

10 associated with the "Write" application software noted -earlier, &om which instance 
numbers (NIJM_INST_SW) are selected for-each instance (!NST_SW) of the Write 
software. For security reasons, new members of sparse sets may be materialized or 
generated on demand, by access to a physical process swh as an photoelectric 
counting device (not shown in the invoition) -for-example. 

15 In step 152 (Figures 3A and 3B), the tag server 102 -confutes a hash function 

value on the software (SW) content or on a portion of the SW content. In the 
preferred embodiment, if more than one instance of software (INSTJSW) 11 1-114 
that contains the same sofbvare content SW is to be ta^d, then die ha^ ftinction 
value HASH_SW is conq>uted only once for the software (SW), since each instance 

20 111-114 contains the same code, information, and/or dataj[i.e., has tfae^same SW 
content). Further, only the value HASH_SW needs to 4)e'Petrieved or generated by 
the tag server 102 once, rather than for each<opy of the full softw^. This aspectof 
the invention saves tag creation time when many instances of the^ame software 
(SW) are to be t^ged. In such cases, the hash function vaiue HASHJSW needs to 

25 be computed only once. In altemative^bodiments, computing Ae hash function 
value on only a portion of the software content may be a fiiitheroptimization,since 
this may reduce the time required for building the hash limction value on both the 
tag server 102 and on the user devioe{s) 104-107. 

In step 153 (Figures 3 A, 3B and 3C), a second liash'function value 

30 HASH_INST_SW is computed, to be incotpor^ed into the tag to be associated with 
the software instance (INSTJSW). Step 153 diS«s ftom-stq) 152 in that the^iash 
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value HASH_SW computed in step 152 is the same for all instances INST_SW of 
the same software SW, whereas in step 153, the hash value HASH_iNST_SW is 
unique for each NIJM_INST_SW of the same software SW. In one embodiment, 
the second hash function value HASH_INST_SW combines together the name 6f 

5 the software (NAME_SW), the unique number of the instance of the software 
(>nJM_INST_SW), and the previously computed (Step 152) hash function value 
HASH_SW. Other hash value combinations such as name and software only, or 
software and number only, or others, may now be recognized as providing a similar 
ftmctionality as understood by those skilled in the art Such combinations oT data 

10 encoded via a hash ftinction are meant to be within the scope of diis imrention. 

After the hash value HASH_INST_SW is computed for «ach instanceof 
software 111-114, either a signed (Figure 3 A) or unsigned (Figure 3B and 3C) tag 
may be created for those instances 1 11-1 14 by steps 154A and 154B. In step 154A 
in Figure 3 A, a signed tag is created for an instance of software 111-114, whe^as in 

1 5 step 1 54B in Figure 3B&3C an unsigned tag is created for instances of -software 
1 1 1-1 14. A signed tag ensures that the tag will be unfoigeable by digitally signing 
portions of the tag prepared, even if the instance numbers are predictable (e.g., evoi 
if they are consecutive numbers). An unsigned tag may not offer this protection, 
but since the unsigned tag created in step 154B preferably includes an instance 

20 number NUM_INST_SW taken fix)m the sparse set V5 IB, this alternative still 
assures unforgeability of the tag. The signed tag TAG_1NSTJSW is^omputed in 
step 154A as follows: 

TAG_INST_SW = (NAME_SW,NUM_INST_SW, HASH_INST_SW, 
25 SIGN_TS(HASH_INST_SW)) 

where the term SIGN_TS is a digital signature fimction performed on the 
HASH_INST_SW hash fimction value. The digital signattire SiGN_TS is produced 
by the tag server 1 02 using the private key PRTV ATE_KEY_tS 1 1 7, which is a 
digital key that is kept secret from all potential adversaries and all entities in Figure 
30 2, except the tag server 102 itself. 
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The unsigned tag TAG_INST_SW is computed in step 154B (Figure 3B) as 
follows: 

TAG_INST_SW = (NAME_SW,NUM^INSTJSW, HASH.INST.SW), 

After creation of a tag TAG^INST JS W by the tag Server 102, the tag is 
5 preferably securely transmitted (as shown by TAGS 120 in Figure 2, and as will be 
explained in more detail with respect to Figures 13A&13B, in step 156)*to the 
requesting software vendor 101 and to the guardian center 103 where the tag(s) 120 
are stored in various tag data bases <as will be explained with-respect to Figwe 9, 
129,138). 

10 A tag 120 associated with an instance of software (e.g. Ill) and the manner 

in which the tag 120 is prepared by the tag sorver 102 serve a number of important 
purposes in the invention: 

(1) A device (e.g. 104) cannot use an instance 1 1 1 of a vendor's 401 
software 1 1 1 unless the device 104'Stores or hiss access to the 

15 associated valid tag 120, iM«ferably maintained in the device's 104 

tag table 210 (shown in detail in Figure 6) and unless that associated 
tag 120 has a usage statustcolumn'2 in Figure 6) in Ihe^tag t^e 210 
that allows or indicates prop^ usage for the associated instance 111. 

(2) Through mandated caU-up procedures <Figu^ 1 2, 1 3 A&B), to be 
20 detailed later, between a device t-e g- 1 04) and the guardian-cenSCT 

103, the guardian center 103 can supervise, authenticate, frack, 
validate and generally-control tag properties and ensure that the 
instance of software 1 1 1 associated with a tag 120 is used in 
accordance with the vendor's 101 usage siq)ervision policy 
25 (maintained preferably at guardian center 1*03) for that instance of 

software 111. 

(3) The unforgeability of a tag 120 and the fact that tags 120 are 
preferably transmitted in a -secure manner ensure that only a user or 
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user device 104 who or that has rightfully obtained a tag 120 from a 
vendor 101 (or tag server 102) and has used the associated instance of 
software 1 1 1-1 14 in accordance with the vendor's 101 -specified usage 
supervision policy (not shown in this figure) for this instance of 

5 software 1 1 1, has this tag 120. This aspect of the invention prevents 

an adversary or pirate from trying to create and/or attempt to use a 
copy of a valid tag 120 which in turn would r^ult, according to the 
mechanisms of the invention, in punitive actions against the copying 
adversary/pirate as well as against the rightful user or user4evice 

1 0 using the instance of software 111 and the associated tag 420. 



It is to be understood that there may be several alternative compositions of a 
tag 120. One alternative is to have a subset of the Helds described herein. 
Specifically, the hash value HASH_INST_SW may not be included in a tag 120, 
thus leaving NAME_SW and NUM_INST_SW in a tag 120. An advantage of such 

IS an embodiment is that less data needs to be sent between system compoi^nts (•e.g. 
101, 102, 103, 104) and computed for each tag 120. A disadvantage may be that flie 
owner of a tag 120 might then attempt to associate the tag 120 with a different 
specific software instance 1 1 1. This is prevented when HASH_INST_SW is 
available in a tag 120 since the value HASH_1NST_SW depends on HASH^SW and 

20 HASHES W can be used to verify that the software S W within an instaixce 1 1 1 is 
correct or unaltered. 

An alternative tag composition may be as follows: NAME_SW, 
NUM_INST_SW, HASH^SW. Using &is composition, every tag 120 will be 
associated with software whose content (i;e. SW) matches with a hash function to 

25 HASH_SW. A possible disadvantage of this scheme is that it may allow the 
possibility that a pirate might generate illegitimate tags 120 that appear^orrect. 
Depending upon the complexity of the embodiments of the invention selected to 
protect the use of software, the systems described herein are designed to alleviate the 
various noted problems. 
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As another example, a third alternative <:omposition of a tag 120 may-be as 
follows: NAME_SW, NUM^INST^SW, HASH_SW, SIGN_.TS<NAMEJSW, 
NUM_INST_^SW, HASH__SW). In this type of tag 120, the digital signature 
SIGNETS prevents tag forgery, since preferably only the tag server 102 possesses 
5 the secret key SECRET_KEY_TS required for computation of the signature function 
SIGNETS. 

Another tag field that may be removed is the field NAME_S W. An 
advantage of this embodiment is to reduce the amount of data sent between system 
components. The name may be unnecessary if the softwar^ instance INST_SW 

1 0 indicates by some means other than the name which tag must be present for 
INST^S W to run or be used. A nameless tag may work, for example, if there is 
only one kind of software being distributed fi-om a given software vendor 101, in 
which case a software vendor 101 identifier can serve as a name for the software 
produced by that vendor. Alternatively, the NUM^DMST JS W may be globally 

1 5 unique across all kinds of software in which case the NAME_S W is unnecessary. 

Another field that may be removed fiom atog 120 is^NUMJNST^SW. An 
advantage to this tag composition is a reduction in the amount of that must be 
sent over network 100 and a more simplistic tag generation scheme<:an be used 
without a need for a unique number selection process (e.§. step 151 as will be 

20 explained in Figures 3A, 3B, and 3C). A possible disadvantage is that-different tags 
having the same NAME_SW (if that field is kept) may become iridistingmshible,^o 
duplicate instances 1 1 1-1 14 might be allowed. 

Another alternative embodiment of tags is to include additional fidds. A 
unique identifier of a user device's (e.^. 104) Supervising Program<discussed later 

25 in detail as 209 in Figure 4), denoted ID(SP) <209-A in Figure 4), may be 

computed, for example, fi-om a combination of a hardware ideritifjer, if available, the 
tune when the device's 104 supervising program 209 was first invoked and, if 
available, a unique number securely obtained by thetievice's si^rvisirig program 
209 from the guardian center 103 and the values of at least one memory location 

30 within the device. This will be discussed in more detail lata:, but is meritioned now 
to provide thejreader with a more comprehensive understanding of various tag 
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creation processes. Including the identifier ID(SP) 209-A of the user device's 
104-107 supervising program 209 in a tag 120 associated with an instance of 
software 1 1 1 used on that device, may support less expensive Guardian Center 103 
call-ups as described in more detail below. 
5 An additional field that may be included in an alternative tag and tag-ci^eation 

embodiment of the invention is a list of fingerprints for specified iocatioiis of^ata 
within an instance of software INST_SW. Fingerprints will be^xplained in mor« 
detail, but as their name suggests, a fingeiprint is a unique encoding of one or more 
portions or data areas selected firom an instance of software. The usage of 

10 fingerprints is illustrated in steps 151D and 151E of Figure 3 in which locations are 
selected and then a fingerprint is computed on those locations and the a hash is 
computed on that result. Including a fingerprint of an instance of sottware 111 
within a tag 120 associated with that instance permits a supervisiiig prog^^m i^igiue 
4, 209, used to access the software) in a user device 1 04-1 07 to verify tfiat the 

15 association between INST_SW and the tag is correct by poforming a*5ame location 
fingerprint check (Detailed Definitions, following Table 1, Figure 6) on INST_SW 
and comparing with the list of fingerprints in the associated tag. While the use of 
fingerprints may overlap the functionality of HASHES W, they permits greatCT 
efficiency for the validation of the correctness of the association of a tag with an 

20 instance of software. 

For large instances of software INST_SW, such as for example, an 
encyclopedia or a video, the computation of HASHES W, which requires the 
supervising program to scan the whole of INST_SW, will require -considerable time. 
If the tag associated with INST_S W contains the above tixed location fingeiprint 

25 values computed by the tag server, fee supervising program (209 in Figure 4) only 
needs to access those locations in INST_SW and compute theooiresponding 
fingerprint values. Using the above fingerprints provides additions^ protection 
benefits, since the locations on which the fingerprints are computed by the^ag server 
can be changed over time in response to piracy attacks. 

30 Similar efficiency and security t>enefits are obtained if the hash function 

value HASH.SW is computed (Figure 3A&B, step 152)"by thetagserver i02only 
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on specified portions of SW, instead of the whole of SW. The specified locations in 
an instance of software INST^SW 1 1 1-14 for which fingerprints are computed by 
the tag server 102, may explicitly accompany the fingerprints in the tag 120 or may 
be included in the instance INST^SW or in the device's 104-107 supervising 
5 program (Figure 4, 209). The advantage of incorporating these fingerprint locations 
in a tag 120 is that the fingerprints can vary for each instance INST_SW being sent, 
with the fingerprints serving as a kind of unique NUM_INST_SW and permitting 
random checks of software code alterations. 

Accordingly, tags 120 consisting of the following field combinations all fall 

1 0 within the scope of this invention: the tags produced as aresuft of processing in 
Figures 3A, 3B, and 3C; any of the above combinations of 'fields plus a form of 
supervising program identifier 209-A<Figure 4) for a user device ^e.g.: 104) such as 
ID(SP), where the value ID(SP) may be combined in computing the hash fimction 
value HASH_INST_SW; any of the above combinations of fields plus a4ist of 

15 fingerprints associated with the contents of SW, where the values of these 
fingerprints may be combined in the computation of the hash function value 
HASH_INST_SW; and any superset of any of the above combination of fiekis. 
Though the above tag and processing descriptions describe specific irnplementations 
of embodiments of the invention, those skilled in the art should understand that tags 

20 are generally provided by the invention to uniquely identify and control use of one 
of more specific instances of software. 

Once the tags 120 are created for the instances of software 1 1 1 through 114, 
the tags 120 are securely transmitted by the tag server 102, in step 156,10 the 
guardian center's database(s) (to be explained with aspect to Figiu-e 9, 129, 138) or 

25 to the user device 104, or to the software vendor or to any ^mbination of the above 
entities. 

Turning attention now back to Figure 2, the <ags 120t:an be securely 
distributed by the tag server 102 to one or more of the software vendoi<s) lt)l, the 
guardian center(s) 103, and the user device(s) 104. If the tags 120 are securely 
30 transmitted by the tag server 102 back to the software vendor 101 but not to user 
devices 104-107, then the tags 120 will be securely distributed by the^o^are 
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vendor 101, along with the instances of software 1 1 1-114, to the user devices 
104-107. Alternatively, the instances of software 1 1 1-1 14 are obtained by the user 
device(s) 104-107 separately from the tags 120, which can be obtained directly by 
the user device(s) 104-107 from the tag server 102. Alternatively, the tags 420 can 

5 be obtained from one or more guardian center(s) 1 03 . 

The instances of software 111-114 themselves are not required to be securely 
distributed, though they may be in alternative embodiments of the system 4-09 of die 
invention. Distribution of the instances of software 1 1 l-il4-can take place in a 
number of ways. The instances 1 1 1-1 14 may be downloaded &om4he software 

10 vendor(s) 101 via downloading mechanisms supported ovct diex^onmumication 
network 100 (Figure 1). Examples of downloading mechanisms are ^ File 
Transfer Protocol (FTP), PUSH protocols that send information to a«eeiver, 
TCP/IP and World Wide Web related protocols, and other protocols used to transfer 
data over busses between computer processors, or ovct other types of computer 

1 5 networks such as conununication network 100, which may be the Intemet, Tor 
example. 

Alternatively, the user device(s) 104 may be pre-equipped with the instances 
of software 1 1 1-1 14 that are pre-installed by a us« device manufacturer tnot shown) 
which may or may not be the same entity as the softwia-e vendor(s) 104. An 

20 example would be an instance of software 111-114 embedded in "Snnwiff-e within a 
usCT device 1 04. As another alternative, users tnot shown in tiiis figure) of tiie user 
device(s) 104 may purchase the instances of-software 111-1 14 on a user-device 
readable medium, such as a magnetically encoded hard or iloppy disk or an optical 
medium such as a CD-ROM, DVD disc, video or audio tape, holographic storage 

25 device, or another medium that can carry information. In each of the Aove 
alternative ways for the user devices 104-107 to obtain an instance of software 
1 1 1 - 1 14, the associated tag 120 which according to the invention is required for 
using that instance of software can directly accompany the instance of'software or 
can be separately and preferably securely transmitted to the device. 

30 The user device 1 04, as shown in Figure 2, includes a-coupiii% to a tiser 

device storage mechanism 200. The user device storage 200 is ^le to maintain-each 
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instance of software 1 1 1 - 1 1 4, a tag table 2 1 0 and a fingerprint table 1 26. The 
purpose and details of fingerprint and tag tables 126, 210 will be explained in more 
detail shortly. 

Figure 4 illustrates a preferred architecture of a user -device 104 corifigur^d 

5 according to the invention. The user device 104 includes an internal bus 206 which 
couples the user device storage 200, a processor 201, a memory 202, an 
mterconnection mechanism 203, and a user input/output mechanism 2^4. A user 
213 interacts with the user device 104. The us» 213 is preferably a human being, 
though the invention can be applied to systems in which usage supervision as 

1 0 explained herein is implemented on electroniccomponaits wiAin larger non-human 
interaction environments. In this illustration, the user 213 is shown to be interacting 
directly with the instances of software 1 1 l-l 14 to hi^light the puiposes of the 
invention. In practice, the user 213 may actually int^face with &e user input/ou^ut 
mechanisms 204 which indirectly supplies input and output to and from tiie 

15 instances of software 11 1-1 14 under thecontrolofthe processor 201, 

The user input/output mechanism 204 may be one or nK»e of a keyboard, 
mouse, microphone, speaker, monitor, heads-up or virtual ireality display, or other 
input/output device used to conMnunicate information to and/or from the user 213 or 
other mechanism (i.e., non human) that interacts with the user device 104. The 

20 input/output mechanism 204 may also serve as a means by which the user device 
104 is provided with the instance of software 111-1 14. In this case, the ii^ut/ou^ut 
mechanism 204 may include such mechanisms as a CD-ROM or DVD drive, 
scanner, floppy disk drive, or another mechanism that^an be used to toad 
information onto the user storage device 200 or into the memory 202 or into buffers 

25 (not shown in Figure 4) which may be included in or associated with the user device 
(e.g.:104). 

The interconnection mechanism 203 is used to interface to the 
communication network 100 arid may be a device such as a modem, netw<Hlc 
interface card, wireless transceiver, or other device used1fbr*communicati<ms. 
30 The user storage device 200, which may be a hard, floppy or optical disk 

drive, RAID array, file server, or other read/write storage mechanism is used to 
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maintain various components and data used by the invention. 'Specifically, as 
illustrated in this embodiment, the user storage device 200 maintains the instances of 
software 1 1 1-1 14, the tag table 210, the fingerprint table 126, a supervising program 
209 (Figure 4) and an operating system 207 including a kernel 208. The operating 

5 system 207, as understood in the art, is typically loaded into memory 202 upon 
startup of the user device 104 and executes in conjunction with the processor 201 to 
control the overall operation of the various iiomponaits of the user device 104. 
Alternatively, the operating system and components of this invention may be 
embedded in the architecture of the processor or-system^bodying the invention. 

10 An example of a user device 104 is a pCTSoiMd <5omputer or workstation. 

Examples of the processor 201 are an Intel-based processor «uch as aCeleron, 
Pentium, Pentium U, Pentium ffl, or 80x86 family or a SPARC-based processor 
using RISC technology or a MIPS processor. These processor names may be 
trademarics of respective microprocessor mani^kcturing companira. iExanH»l*es of 

15 the operating system 207 are any of the Windows-based opoating ^systems such as 
Windows NT, Windows98, Windows95, WindowsCE or Windows 3.1 
manufactured by the Microsoft Corporation of Redmond, Washington, or die 
operating system 207 may be, for example, a^UNIX-based system such as Solaris 
from Sun Microsystems, Inc. of Mouirtain View, California. Other embodiments of 

20 the user device 104 may be dedicated devices that use speciali;Bed processors 201 
which have custom or embedded operating systems -207. Those -^iled in the at 
should understand that the user device i04, as stated^reviously, can be any type of 
device that is microprocessor controlled. The invention is not meant to be limited 
by the architecture of the user device 104^hown in Figure 4. Rather, any device that 

25 can access software for a user is meant to be within tiie scope of this invention. 

In Older to provide the usage supervision aspects 6f the systan of the 
invention, the supervising program (SP) 209 is provided and -executes in conjunction 
with the operating system 207, the tag table 210, the instances of-software 111-1 14, 
and optionally, the fingerprint table 126 figure 4). The supervising prog^<SP) 

30 209 is preferably a separate entity from the operating system 207, though it may be 
an extension thereof The supervising program (SP) 209 is also preferably a 
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software program written in any programming language (e.g., C, C++, Java, 
Assembler, or any other language) and preferably uses an aj^lication programming 
interface (API) provided by the operating system 207 to interface with and control 
certain functions of the operating system 207. Alternatively, in an embedded -system 
5 user device 104, the operating system 207, supervising program (SP) 209, and other 
data and or components within user device 104 may all be embedded or completely 
represented via electronic circuitry or stored m a memory. 

In a preferred embodiment of the invention, upon -each startup^i.^., 
power-up) of the user device 104, the operating system 207, supervising pro-am 

1 0 (SP) 209 and tag table 2 1 0 are read into memory 202 from the user storage device 
200. On the first startup of the user device 104, preferably, an identifier II>j[SP) 
209-A for the device's supervising program 209 figure 4) is coniputed and -stored in 
a secure location. This identifier 209-A, as discussed in the glossary above (Table 1, 
ID(SP)), is computed based on some combination of the following: a hardware 

15 identifier, if available; a number provided by a guardian center 103 0^igure 2), if 
available; and the value of a high precision timer (e.g., microsecond) within fee 
device 104. In (he system of this mvention, the supervising prog^an^SP) 209 sev/cs 
as a usage supervision interface between the instances of software 111-114 and the 
operating system 207. Before the operational aspects of usage supwvision provided 

20 by the supervising program (SP) 209 are explained in detail, the installation of 

instances of software 1 1 1-1 14 and the associated tags 120 onto usertievice i04 will 
be discussed. 

Figure 5 illustrates the steps involved to install an instance of software 
INST_S W and the associated tag TAG_iNST_S W onto a user device 104 according 

25 to a preferred embodiment of the invention. Both the tags 120 and the instances of 
software 1 1 1-1 14 may be installed by being loaded onto the user device 104 dux>u^ 
a user input/output mechanism 204, or may be electronically installed via-Feception 
from the communication network 100 through the interconnection mechanism 203. 
The steps in Figure 5 are preferably performed by the processor 201 executing the 

30 supervising program (SP) 209 code provided as part of the invention. The 

supervising program 209 can reside in the operating system 207, as anext^ion to 
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the kernel 208, for example, or may reside and execute as a separate process above 
the kernel 208 and operating system 207. 

In either case, the user device 104 (in this example a personal computer, but 
the provisions of the invention apply to any other device in the sense of the 
5 invention) obtains an instance INST_SW of a specific named software 

(NAME^SW, SW) in step 250 in Figure 5. In step 25 1 , the user -device 104 securely 
obtains the tag TAG_INST_SW associated with -the instance of the named software 
obtained in step 250. In step 252, the system of the invention determines if the tag 
TAG_INST_SW is a signed or unsigned tag. Step 252 may be performed by 
1 0 examining the tag information received to determine if the SIGNETS (unction value 
is present or not within the tag TAG_E4ST_SW. Next, the suporvising program 
proceeds to validate the tag and its proper association with the instance of software 
as follows. 

In a preferred embodiment of the invention ttie tag is -created by the tag 

15 server 102 according to the steps in Figures 3 A, 3B or 3C and has the contents 
produced by step 154A (Figure 3 A) for a signed tag and 154B<Figure 3B and 3C) 
for an unsigned tag. If the tag TAG_INST_SW is a signed tag, istep l^igure 5, 253) 
invokes a part of the supervising program (SP) 209 to confute the hash luintion 
value V = HASH(INST_S W) and a hash function value U = HASH(NA^ffiJSW, 

20 NUM_INST_SW, V), The supervising program 209 then compares the value U with 
the value HASH_INST_SW found in the tag TAG_Q4ST_SW. If the two compared 
values do not agree then the tag is invalid. If the values U and V agr^ then the 
supervising 209 program further verifies, by use of the tag server's 102 public key 
PUBLIC_KEY_TS (Figure 2, 1 16), the digital signature on SIGNETS 

25 (HASH_INST_SW) that exists within the tag TAG.INST^SW. If the^tag server's 
signature in SIGN_TS(HASH_INST_SW) is not validated, then the tag 
TAG_INST_SW is not valid. When the instance of named software (NAME^SW, 
SW) obtained in step 250 is found in step 253 to be associated with an invalid tag 
TAG_INST_SW obtained in step 251, the instance of^ftware is rejected in step 

30 254. 
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If the tag TAG_INST_SW is an unsigned tag, s%&p 257 invokes a part of the 
supervising program (SP) 209 to verify the hash values for the hash function value 
HASH^INST^^SW that exists within the tag TAG_INST_SW by the same steps that 
were used above for the case of a signed tag. If the HASH_INST_SW value does 

5 not properly evaluate, then there is an error in the lag TAG_INST__SW and the 
instance of named software (NAME^SW, SW) obtained in step 250 that is 
associated with the invalid tag TAG^INST^SW is rejected in step 254. 

Rejection in step 254 can simply mean that the user device 104 discards or 
removes or does not allow use of the instance oT software INST_SW and its 

1 0 associated tag TAG_INST_S W that were obtaiTOd in stqjs 250 and 25 1 . 'Step 256 
can also be executed which activates a user device (e.g., 104) punitive action. 
Pimitive action for a user device 104 may include shutting down or disabling the 
device for future use. Punitive actions will be discussed in more detail with respect 
to usage supervision features of this invention. 

15 If the hash function values and tfie signature SIGN_TS^lASH_^lNST_SW) 

are verified in step 253 for a signed tag, or if the hash function value 
HASH_INST_SW is verified in step 257 for an unsigned tag, then step SSS-stores 
the instance of software INST_SW (1 1 1-1 14 in Figure 2) associated with the tag 
onto the user storage device 200, and ako. stores the associated tag TAG_®IST_SW 

20 for the instance of software (e.g., 1 1 1) into the XB,gtablc 210 with the^tatus 

"INSTALLED" attached to the tag (in column one of the table 210 illustrated in 
detail in Figure 6, as will explained more completely Izta). 

In an alternative embodiment in which a tag contains a siq>«rvising program 
identifier ID(SP) 209- A, the supervising program 209 verifies that the supervising 

25 program identifier 209-A in the tag 120 is the same as the supervising program 
identifier 209-A stored on the user device 104. In an alternative embodiment in 
which a tag 120 contains a fingerprint list based on specified locations on the 
software content SW, the supervising program 209 verifies that the fingerprint list 
matches the fingerprints computed at the same specified locations in the software 

30 S W, where matching is based on the same-location 'fingerprinting, as tlescribed in 
the definitions above and as explained in detail herein. 
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Figure 6 illustrates the contents ofan example tag table 210. Generally, the 
tag table 210 includes information required by the supervising program (SP) 209 to 
make a determination of whether or not a user 213 of the user device 104 or the 
device 104 itself is allowed usage of an instance of software 111-114. Through a 
5 process which will be explained shortly, the supervising program 209 can detect the 
attempted use of an instance of software 1 1 1-1 14 and can check information 
maintained in the tag table 210 to determine usage supervision charactmstics for a 
tag TAG_INST_SW associated with the requested instance 1 1 1-1 14. 

Periodically, the supervising program <SP) 209 will poform a call-up 

1 0 procedure which interfaces the user device 104 wiA Ae guardian center 103 (Figure 
2). During the call-up procedure, tag information in the tag table 210 for^ach 
instance of software 111-114 installed on a user device 104 which is perforaiing the 
call-up is verified by the guardian center's 103 (Figure 2) verification program 
(Figure 9, 3 15) so as to instruct the supervising program 209 on the liser device 104 

IS to make usage supervision detemiinations with respect to the instance^of^ftwaie 
1 11 for which the user 213 is requesting use. 

Figure 6 shows a device's (i.e., 104) tag table 210 in a preferred embodiment 
of the invention. Each valid tag TAG_INST_SW 120 obtained via Step 251 in 
Figure 5 for each installed instance of software 1 1 1-1 14 is stored in the first <:oliBnn 

20 labeled "TAGS" in the tag table 210. The tags in the TAGScoiumn in tag table 210 
are labeled TAG.INST.SWl, TAG^INST_SW2, TAG^INST_SW3, 
TAG^INST^S W4 and UNTAGGED^S W. Other information in the tag table 210, 
which will be described in more detail , includes, for «ach tag, a USAGE STATUS 
list (Column 2), an ACTION TIME (Column 3), a RUN COUNT tCoiumn 4), and a 

25 USE TIME (Column 5). The supervising program (SP) 209 uses the tag table 

information for each tag entry (i.e. each tag table row) to determine how to process a 
request for use of each instance of software 111-114 associated with a r^ispectiye tag 
TAG^INST_SW. 

Briefly, the USAGE STATUS column in tag table 2 10 generally indicates to 
30 the supervising program 209 whether an instance of software 1 1 1 -1 14 is usable or 
not for a user 213 or adevice 104-107. If use of software is to toe allowed, the status 
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coluinn will indicate "CONTBSfUED" or "INSTALLED", while if use is to be 
denied, this condition is indicated by the term "GC_DISABLED". "INSTALLED" 
followed by "REMOVED" status terms indicate that a tag TAG_INST_S Wn ior an 
instance of software 111-114 was formerly installed on the user device 104 but is no 
5 longer installed and consequently is not usable. The ACTION TIME column 

indicates a time stamp (e.g.. Day and Time) of the<4ast status determination te.g., the 
time of the last call-up and tag verification procedure - to be explained) performed 
by the supervising program {SP) 209 (Figure 2). The RUN GOUNT^olumn in tag 
table 210 indicates the number of times an instance of software 1 H-1 14 associated 

1 0 with a tag TAG_INST_S Wn (whCT-e n is a nun*er 1 throu^ 4 in Ais-example) has 
been used on a user device 104-107, Finally, die USE TIME column in tag table 
210 indicates the total elapsed time during which the instance of software 1 1 1 - U 4 
associated with TAG JNST_S Wn has been used since the last x:all-up procedure 
between the device and the guardian center or, in another ^1)odiment,'since being 

15 installed. 

The various fields (i.e., rows) associated with each tag<Column 1) are used 
by the system of this invention for various purposes explained 1>erein. Tags serve to 
identify the row of the tag table 210 that the supCTvising program <SP) 209 must 
examine to determine whether a given software instance 111-1 14 can be propCTly or 

20 validly used, based on the content of that associated row. Hiexunent USAGE 
STATUS field of the chosen row deteraiines wheAer use of the software instance 
(i,e., one of 1 1 1-1 14 in this example) is allowed. 

As will be explained, when use is allowed, the supervising program^<SP) 209 
can track use times and run counts for the instance 1 1 1-i 14 being used. This 

25 mforaiation can be used to construct the^vent history of a user device 154-107, and 
can also serve other purposes such as tracking use on pay-per-iise or pay-per-view 
instance of software 1 1 1-1 14. The event history is a timed record of all attempted 
uses, successfiil uses, duration of uses, and other events ^uch as^wer-ups at a 
device. It is unlikely for two devices to have the saroe^vent history, even if they 

30 have the same software instaiK:es and the^ame tdentiti^. 
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In one embodiment, no two devices have the same software instances and the 
same tag or supervising program or device identifiers However, knowledgeable 
software pirates may attempt to exactly copy the disk image of one device to 
another, in which case tag, device, and supervising program identifiers might be 
5 exactly duplicated. The invention contemplates avoidance of such piracy in certain 
embodiments by allowing at least one of the unique identifiers (i.-e., one of either a 
software tag 120 or a supervising program identifier 209-A) to contain infomiation 
such as a hardware processor identification number (i.«., pro^ssor serial number for 
example) which associates that identifier (e.g., tag 120 (Colunm 1 in Figure 6), SP 

10 ID209-A, of device ID) with a particular processor or hardware chassis. That is, if a 
pirate attempts to circumvent the usage supervisionl protection of the invention by 
duplicating the entire disk information and transferring the duplicated disk to 
another device, the invention can allow hardware device identification mechanisms 
to be incorporated into tag information and during tag validation ^i-e. during caH-iq;) 

IS processing - to be explained), the hardware identification information can be 
checked accordingly. 

It should be understood that this embodiment supplements the invention 
mechanisms which uses device usage statistics maintained at the ^ardian center i03 
(Figure 2) to track two devices trying to use the same tag information. That is, if a 

20 pirate copies a disk firom a legitimate device 104 into another device {uc. 107), it is 
almost impossible, according to the aspects of this invention, for the ill^timate user 
213 of the pirated device 107 to use the device 107 in such a manna tfaat^xactly 
duplicates the use of the legitimate device 104. As such, when each device 104, 107 
performs a call-up to the guardian center 103 {Figure 2) to perform tag validation, 

25 the guardian center 1 03 (Figure 2) will detect one of either device 104, 107 as 
having inconsistent usage or call-up statistics, with respect to the other device (i.e. 
the other of 104, 107). Thus, once each device 104, 107 has made a call-up, one of 
the devices 104, 107 will appear as fiauduiently attempting software Use. At that 
point, the system of the invention can perform punitive action contained in a 

30 continuation message <to be explained shortly) to disable one or both devices, the 
software on the devices, use of the devices, t)r any combination thereof. Reporting 
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illegal or illegitimate use to the proper authorities (e.g., law^forcement^-softwsa'e 
vendors) can also be performed by the invention. 

As an example of pay-per-use or pay-per-view, each time an instance of 
pay-per-use software 1 1 1-1 14 is used, the supervising pro^'am{SP) 209 can record 
5 this in the RUN COUNT field (Column 4) in the^ag table 210 for the tag 

TAG_INST_SW associated with that instance 111-114. RUN COUNT information 
can later be used for biUing purposes. 

Also included in the tag table 210 is a headerfield HEADER_TAX5_TABLE 
which uniquely identifies this particular tag table 210 for this psuticular user device 

10 1 04. The header HEADER_TAG_TABLE may be unique on either a per user 2 1 3 
or per user device 1 04 basis. If tag tables 2 1 0 are imique on a per user 213 basis, 
each user account (i.e., login account) on a user device 104 can have its own tag 
table 210 for that user 213. The per user tag table 210^an maintain the tags 
TAG_INST_SW for instances of software 111-114 to be used that may, For 

1 5 example, have been purchased by that user 21 3 only. In otfier words, while only one 
tag table 210 is illustrated, the invention may track tag use and usage supervision for 
many users 213, or each user may have a separate tag table 210. 

The HEADER__TAG_TABLE preferably includes an ID_TAtj_TABi£ field 
which indicates a unique identification for this tag tsSoic 210. The ]D_TAG_TABL€ 

20 field preferably includes an identification of the supervising {»x>^am's 209 1D(SP) 
209-A. In addition, it may include the identification of the user 213 ID(US£R) with 
which this tag table 210 is associated, as well as an identification oT^e usertlevice 
104 ID(DEVICE) (e.g., serial number or host-id as noted above), and an 
identification of the operating system 207 BD!(OS). 

25 An example of the user identification ID(USER) may be a Usemame and/or 

password combination. An example of the identification of^e user device 
ID(DEVICE) may include the hostname, host id, IP address, ismal number orother 
hardware or device specific information that<:an uniquely distinguish tihis user 
device 104 fi-om other user devices (e.g., 1.04-107 inT'igure 1). 

30 n)(SP) 209-A may be, for example, comprised of information having to do 

with the time when a device 104-107 is 'first pow^d oniased on a precision 
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clock (205 in Figure 4). Two ID(SP)'s 209-A from different devices {i.*., 104, 105) 
will rarely be equal if the high precision clocks 205 are at microsecond accuracy. To 
reduce the risk of equal ID(SP)'s the ID(SP) 209-A may also include a hardware 
serial number if available and a number from a guardian center 103 (Figure 2) if 

5 available. It is possible for a would-be pirate to copy the disk image in which case 
two devices might have the same ID(SP). As briefly noted above and as will be 
discussed ftulher, this can be caught by the guardian center 103 XFigure 2) during 
call-up. The operating system 207 may also have unique identification information 
such as serial numbers or the like Which can be used for identification in the 

10 ID_TAG_TABLE field. 

The header field HEADER_TAG_TABLE (top row of tag table 210 in 
Figure 6) also includes a "last guardian cento* continuation message" 'field 
LAST_GC_CM, a "last call-up time" field LAST_CALLUP_TIME, and a "number 
of device power-ups" field NUMBER_DEVICTJ>OWERUPS. In addition, the 

1 5 header includes two fields having to do with the event history: the current ^yent 
history: HASH (EVENT_HISTORY) and the hash of the event history as of the 
most recent call -up 

HASH(EVENT_HISTORY_AS_OF_MOST_REC©fr_CALLUP)). 

The LAST_GC_CM field in the headertrow 1 of <able 210) contains a 

20 continuation message value which is an unforgesri^le message $:om the-guardian 
center (GC) 1 03 (Figure 2) that contains an encoding of tag table 210 update 
information as well as actions and punitive actions specified by the GC iOS ^igiu« 
2) for the user device's supervising program SP. The LAST_CALLUP_TIME in the 
tag table 210 header is used, in combination with other tag table xiata, by the 

25 supervising program 209 to deteimine when a next call-iq) io the GC lt)3 (Figure 2) 
may be required according to a CALL-UP_POLICY. The 
NUM_DEVICE_POWERUPS is used locally as paxt of tfie method to4et^ine 
when a call-up is needed. 

The event history may include information such as when each software 

30 instance 1 1 1-1 14 on a device 104-107 is invoked and possibly whenextemisil inputs 
to the user device 104-lt)7 (i.^., uso: 213 interaction) occm:. Hie pwpose of the 
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event history is to characterize a device 104-107 based on its past behavior or use of 
the device. This may be useful because static information such as supervising 
program identifiers 209-A and tags 120 may be copied from one device 1X)4-107 to 
another, but dynamic information as embodied in the event history is likely to 

5 diverge even for devices 104-107 having the same static information. Since the 
event history can be large, a hash function value of the event history is maintained 
instead of the event history itself Preferably, two event history liash function values 
are retained in order to allow processing to continue during a call-up procedure. 
As will be explained, a continuation message CM (Figiro 2, 212; figure 

10 13B, 423) is preferably also stored in the LA^T_GCJCM field of the 4ag table 
header (top row oftable 210 in Figure 6). The CM 212 is a message prepared by 
the guardian center 103 (Figure 2) during a call-up procedure with the user device 
1 04 and is preferably securely transmitted by the -guardian*center 1 03 j(Figure 2) to 
the device 104-107 performing the call-up. A'continuation messageCM 212 

1 5 includes information so that the supervising prognum (SP) 209 on the user device 
104 can determine which instances of software 1 1 1-1 14 are allowed to-eontuiueto 
be used or should be disabled because of improper use, and can also define other 
actions or punitive actions to be executed by the device's supervising program 209. 
The LAST^CALLUP JTIME field contains a time stamp of the last c^l-Up 

20 process (to be explained) that occurred, and the NUM^DEViGEJPOWERUPS field 
contams the number of times that the user device 104 has been powored up. As will 
be explained, the supervising program<SP) 209 ineach user device 104 is 
responsible for maintainingXthough not necessarily -generating) accurate information 
in the tag table 210, including header information such as 

25 NUM.DEVICE^POWERUPS, LAST_CALLUP_T0vIE, and the LAST_GC_CM 
continuation message- That is, a continuation message <CM) 21210Figure 2) is 
generated by the guardian center 1 03 '(Figure 2) and securely passed to the 
supervising program (SP) 209 on a user device 104. Upon receipt, the supervising 
program (SP) 209 is preferably responsible for parsing the continuation message 

30 (CM) 212 (Figure 2) and updating the tag table 2 10 with the most recent usage 
supervision information ^i.e., updating tag table fields). 
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The information in the header field HEADER_TAG_TAfiLE can uniquely 
identify the tag table 210 and can be used by the supervising progrsmi (SP) 209 to 
update usage supervision information for each instance of software 111-1 14 
installed on the user device 104. The idea is that the^ag table 210 for each user or 
5 each user and/or user device 104 combination is uniquely identifiable via 

HEADER_TAG_TABLE firom other tag tables 210 for other users 213 or other aser 
devices 1 04 or user/user device combinations. 

When a new instance of software 11 1*1 14 and its associated tag 120 are 
obtained and installed or used via the steps in Figure 5, the tag tabk 210 entry "{ire., 

10 the row in tag table 210) for that tag TAG_INST_^Wn has the ACTION column 
value set to INSTALLED to indicate the instance of software 111-114 associated 
with that tag is newly added or installed on that user device 1 04. The ACTION 
TIME value is either left blank or indicates the time of installation. TheHlJN 
COUNT and USE TIME column values are set to^zcro or "0" or are^eft blaidc 

IS According to another aspect of the invention, usage supervision can be 

provided for software instances 111-114 which do not have an aissociated tag 
TAG_INST_SW (Colunm 1) created for insertion in the tag table 210. Any such 
instance 1 1 1-1 14 is referred to as an untagged instance of software or simply as 
untagged software. An example of untagged software would be user 213^<He2^ 

20 software. User created software may be legitimately xi^ated, as in the case of a tieser 
213 writing or creating a software program or a song. User created software may 
also be illegitimately created, in which case it is referred to as infringing software 
INF_SW. It is desirable to allow a user device 104-107 to use legitimate untagged 
software and the invention's usage supervision enables such use. However, at the 

25 same time, according to the mechanisms of the invention, the present invention can 
detect and prevent use, as well as, if so desired, ^act punitive actions on a user 
device 104-107, if that device attempts to use infringing software tfiat is either 
tagged or untagged. 

Infringing software INF_SW might, for example, be*or«ated as follows. A 

30 pirating vendor may create instances of pirated software by taking a intimate 
specific software instance 1 1 1-1 14, such as a book or an ^plication progjam on a 
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CD-ROM and, and removing from the included installation program for that 
software all references to any required tag 120. The pirating vendor might then sells 
copies of the changed software (i.e., that no longer requires reference to an 
associated tag) under a different name as untagged software. Another example of 

5 taggless software is infringing software created by a pirate as a modified or derived 
version of a legitimate vendor's software SW, such as for example, an unauthorized 
translation of a vendor's book into another language or a recompiled version of an 
application program. The system of the invention prevents, fracks, and protects 
against the used of such unauthorized software on user devices 104-107. 

10 To do so, the invention introduces a ccmcepl called lingeiprinting. 

Essentially, fingerprinting produces values associated with an instance of software 
which are unique to the content of the software <SW) for that instance. If 
fingerprints of an illegally made copy of an instance of software <:an be obtained, the 
invention provides a way to detect other attempts by other user devices 104-11)7 to 

IS use similar illegally made copies. Aiccording to the invention, "fingerprints 
associated with a particular piece of software are preferably when a user 213 
attempts to install or use untagged software on the user device 104. 

Figure 7 illustrates the process of installing untagged software on a usct 
device (in this example, user device 104 will be used in the discussion). In step 330, 

20 the user 213 installs (or creates) an instance of untagged software ti-e., an untagged 
instance of 1 1 1-1 14) on the user device 104. The untaxed software 
UNTAGGED_SW may , for example, appear sanply as a string of binary data 
(STRING[O...N]) and initially has no associated lag. Upon an attcmpt^o use*the 
untagged instance 1 1 1-1 14, in step 331, the supervising program tSP) 209^etects 

25 that no tag TAG_INST_S W exists in the tag table 2 10 for this instance of software 
and thus the supervising program (SP) 209 lingerprints the untagged software 
instance 111-114 using a fingerprint fimction FP. The fingerprint function may, for 
example, be a hash function. 

In step 33 1 , each fingerprint Xi is^qual to the value produced by the 

30 fingeiprint limction FP which preferably operates on a portion of the untagged 
software STRINX:^i,i^k-l], where 0<=^<=m-k+l 5br a fixed standard4c. There-cian 



wo 00/72119 



PCT/USOO/11821 



.75- 

be m chosen indexes. In other words, a fingerprint function FP is perfonned on 
selected segments of the untagged software data STRING(O...N], where N is the 
total length of the untagged software in bits. Preferably, the fingerprint function FP 
produces a number of fingerprints (m), each offset fi-om the next. In stq) 332, the 
5 supervising program (SP) 209 stores the fingerprints Xil through Xim in the 
fingerprint table 210 of the user device 104. 

In an alternative embodiment, fingerprints are created based on 
non-consecutive portions of the untagged software. 

In another alternative embodiment, fingerprints are computed when software 

10 is used, based on the behavior of the software. An example of behavior may be the 
sequence of system calls the software makes. Game software for exan^le inay have 
specific patterns for writing to the screen. These pattCTis may ^ incorporated into 
the fingerprint of the instance of software. 

Finally, in step 337, the supervising program (SP) 209 qresdes an untaxed 

15 tag entry UNTAGGED_S W in the tag table 2 1 0 to indicate the presence of an 
untagged instance of software 1 1 1-1 14 on the user device ItH. The 
UNTAGGED_SW tag in tag table 210 can use a hash fimction or other means to 
uniquely associate the tag UNTAGGH^.SW with the untaxed instance oTsoftwsffe 
which was fingerprinted. Using the above described process, any attempt^o use or 

20 install an untagged instance of software 1 1 1-1 14 on a userxlevke 104 results in that 
untagged instance being fingerprinted and also results in an UNTAGGED JSW tag 
being created in the tag table 210. 

As will be explained later, the fingerprint table 126 will be used by the 
guardian center 103 (Figure 2) to detect uses of infiiriging softwve INF_SW of 

25 which the guardian center 1 03 (Figure 2) has been made aware. Details of the Use of 
the fingerprint aspect of this invention will be discussed in more detail later. 

Figure 8 shows the high level steps performed by the system 109 of this 
invention when a user 213 attempts to use an instance of software (H^ST^SW) 
1 1 1-1 14 on a user device 104. In step 270, the user 213 interfaces with the user 

30 input/output mechanism 204 on the user device 104 to use an instsmce of the 

software 1 1 1-114. In step 271, the supervising program <SP) 209 intercepts the call 
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to invoke use of the instance of software 1 1 1-1 14. At this point, the supervising 
program (SP) 209 will ensure that the instance of software 1 1 1-114 requested has a 
tag TAG_INST_SW that indicates a "CONTINUED" status in the tag table 210. 
However, before checking the individual tag TAG_mST_SWn, in apfeferred 

5 embodiment, the supervising program (SP) 209 ensures that the tag table 240 itself 
is in a valid or updated state. By valid state, what is meant is that the tag table 210 is 
not outdated and in need of a call-up procedure to update its contents. Accordingly, 
in step 272, the supervising program (SP) 209 accesses the tag table 210 to 
determine if a call-up to the guardian center 1 03 (Figure 2) is Fequiied at the cuirent 

10 time. 

In an alternative embodiment, if a fingerprint is included in the tag, the 
supervising program SP 209 may check that the software instance being used is 
properly associated with this tag by using a same location fingerprint. 

Periodically, a call-up process is performed by the system of the invention to 
15 effectively re-authenticate the validity and enforce ±c usage ^pwvision policy of 
each tag TAG_INST_SWn in the tag table 210. The call-i^ process tsdces place 
between the guardian center 103 OFiguie 2) and the user devicc^s) 104. ThcFe may 
be many triggering events that can cause a call-up to be made to the guardian center 
103 (Figure 2). 

20 For example, the call-up deteraiination made in stq) 272 by Ae supervising 

program (SP) 209 can be made by examining the LAST_CALL-UP_TIME leld in 
the tag table header HEADER_TAG_TABLE. If the time «tamp in 
LAST_CALL-UP_TIME has exceeded a certain elapsed time, then a«aU-up to the 
guardian center 1 03 (Figure 2) is needed and is made by proceeding to step 273 

25 where call-up processing is performed. Alternatively, there may be a call-up policy 
(CALL-UP_POLICY) for the tag table 210 itself which defines a set of rules or 
conditions that must be met in order for a call-up to be required. 

In other embodiments, there may be call-up policies 
(CALL-UP_POLICY_S W) associated with individual instafloes of softwae 

30 1 11 - 1 1 4. In this case, step 272'can examine the rules or tests of the call-up policy 
(CALL-UP_P'OLICY_SW) associated with ttie software content SWor the instance 
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of software (INST_SW) 1 1 1-1 14 that was requested access by a user 213 in step 
270. In another embodiment, if the user 213 of a user device 104 attempts to use an 
untagged instance of software, step 272 may mandate that a call-up is needed. In 
another embodiment, if the user 213 of a user device 104 uses tagged software for 
5 the first time, then step 272 may mandate that a call-up is needed. In another 

embodiment, the maximum allowed interval between successive call-up procedure 
is preferably determined by a combination of elapsed time in a user device 104, the 
number and duration of uses to instances of software 1 1 1 - 1 1 4, the number of tinges 
the device 104 is powered on, and/or by any other measure that is related to time or 

10 use of the device 104. 

Call-up processing will be discussed in mor^ detail later. Essentially 
however, during call-up processing, the supervising program (SP) 209 in a user 
device 104 securely transfers a copy of the tag table 210 and the fingerprint table 
126 to the guardian center 103 figure 2). After veriticatLon, the guardian^entor 

15 103 (Figure 2) compares each tag TAG^INSTJSWn in the tag table 210 against a 
list of compromised tags. The guardian center 103 10Figure 2) can detect tags that are 
invalid or compromised in some maimer. 

A usage supervision policy POUCY(TAG_INST_SW) associated with -each 
tag can also be checked at the guardian center 1^3 "(Figioe 2) to ensure diat^gs 120 

20 ( and therefore instances of software associated with the tags) sffe being used in 
compliance with the usage supervision policy POLICY(TAG_INST_.SW). The 
policy may be for an entire user device 104-107 or on aper user 213 or per tag 120 
basis. Also, for untagged software, the fingerprint table 126-can be compared 
against a fingerprint data structure (explained later) in the guardian center 1.03 

25 (Figure 2) to detect uses of infiingingisoftware a4F_SW. AA&c analysis of tfie tag 
table 210 and fingerprint tdble 126 are complete, the guardian center 103 (Figure 2) 
prepares and sends a continuation message tCM) 2 1 2^igiu5e 2) back to &e user 
device 104. 

In an alternate embodiment, tagged software may also be checked hy 
30 fingerprinting. This embodiment prevents a pirating vendor torn distributing 
instances of specific software that is inl&inging on intellectual i^opeity or other 
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rights of a legitimate vendor (i.e., 101 ), as tagged software, i.e. accompanied by 
legitimate tags obtained from a tag server 102. In this embodiment the user device's 
104-107 supervising program 209 performs a fingerprinting process on tagged 
software instances 1 11-1 14 as well, and stores the computed fingerprints in its 

5 fingerprint table 126. During a call-up procedure, the fingerprints obtained fix)m 
tagged software instances 111-114 used on the user device 104-107 will also be sent 
to the guardian center 103 (Figure 2) to detect use of infringing software. 

The continuation message (CM) 212 (Figure 2)'Contains various information 
that can affect the operation of instances of software 1 1 1-1 14 on a user device^e.g., 

10 104), or operation of the user device 104 itself. For example, if the guardian-center 
103 (Figure 2) detects an invalid tag TAG_INST_SWn in a4ag table 214) for a user 
device 104, the continuation message (CM) 212 returned to thatiiser xtevice 104 
may cause the user device 104 to become inactivated or disabled for a specified 
period of time or indefinitely. Alternatively, the continuation message (CM) 212 

1 5 may cause the user device 1 04 to inactivate use of the particular instance of software 
(INST_SW) 1 1 1-1 14 associated with an invalid tag 130. 

The action(s) taken at a user device 104 are defined in an ACTICWS portion 
of the continuation message (CM) 212, and will be described in more detail later. 
The continuation message 212 is also used by the supervising^rogram (SP) 209 in 

20 the user device 1 04 to update information in the tag table 24 0. Fot exan^le, the 
ACTION TIME column of that tag table 210 may be ^)dated witii a tirae stam|) of 
the most recent continuation message<CM) 212, thus providirig an indication of 
when each tag TAG_INST_S Wn was most recently t:hecked by the guardian center 

103 (Figure 2). 

25 Continuing with the description of the processing m Pigure ^, after -call-up 

processing is complete in step 273, the tag table 210 is updated on the useriievice 

104 in step 277 (i-e., via the continuation mfessage 212), and processing returns 4o 
step 272. Once the user device 104 determines that a call-up to the guardian 
center 1 03 (Figure 2) is not required at this time,i>rocessing proceeds to step 274 to 

30 determine the usage status of the particular instance of software 1 1 1-1 14 for which 
use was requited by a user 213 in stq) 270. 
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In step 274, the supervising program (SP) 209 in the user device 104 
essentially examines the USAGE STATUS colunm in Ae tag table 240 for die tag 
TAG_INST_SWn associated with the requested instance of software 1 1 1-1 14. If the 
USAGE STATUS column indicates "CONTINUEP", then the supervising program 
5 (SP) 209 signals to the kernel 208 of the operating system 207 to allow use of the 
requested instance of software 1 1 1-1 14 in step 275. If the USAGE STATUS 
colunm in the tag table 210 for the tag (TAG_INST_SWn) associated with the 
requested instance of software 1 1 1-1 14 indicates "GCJDISABLED" or 
"REMOVED", then the supervising program 209 denies use of the inst^ce of 

10 software 1 1 M 14 in step 276. 

If use is allowed to the requested instance of software 1 1 1 - 1 14, the 
supervising program (SP) 209 increments by one the value in the RUN COUNT 
colunm for the tag TAG_INST_SWn associated with the requested instance of 
software 1 1 1-1 14. The supervising program (SP) 20? also tracks the amount of time 

1 S that the requested instance of software 1 1 1-1 14 is in use and updates ^he USE TiNffi 
column for the tag accordingly. 

Figure 9 illustrates a preferred embodiment of the architecture of the 
guardian center 103 (Figure 2). The guardian center 103 (Figure 2) includes a bus 
306 which couples a processor 301 , a memoiy 302, an interconnection mechanic 

20 303, a clock 304 and a guardian center authorization database 300. The guardian 
center 1 03 (Figure 2) is preferably a high-powered -computer system such as a 
multi-processor server which can perform many transactions for multiple proisesses 
at one time. The intercoimection mechanism 303 is, for example, a modem bank or 
one or more high bandwidth network connections allowing the guardian cent» 103 

25 (Figure 2) to conmiunicate with many user devices 1 04 simultaneously via 
communication network 100. 

The guardian center's 103 (Figure 2) authorization database <GODB) 300 is 
preferably a large database sub-system or disk or RAID array having the^apability 
to store vast amounts of information. In this embodiment, the GCDB includes a 

30 tagged software database 138 (Figure 9) which holds data for instances of4agged 
software, and a fingerprint data structure 137. The tagged -software datd>ase ISS 
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(Figure 9) includes call-up records (Figure 10, 320, 321) for €ach tagged instance of 
software on each user device 104. The content and use of«each of these databases 
137 and 138 (Figure 9) will be explained in more detail shortly. 

During operation of the guardian center 1 03 (Figure 2), memory 302 is used 
5 to store a verification program tVRP) 3 1 5 which executes in conjunction with 
processor 301 to perforai the guardian center functions described herein. Memory 
302 also stores user device tag tables 210 and fingerprint tabtes 126 which get 
transferred to the guardian center 103 (Figure 2) for tag verification and usage 
supervision determination during the call-up procedure explained teiefly above. 

1 0 Figure 1 0 shows the data structures 320, 32 1 maintained in the tagged 

software database 138 (Figure 9) in the guardian center i03<Figi^e 2)for each 
instance of tagged software (e.g., 111-114). The tag data structure 320 is initially 
provided to the guardian center 103 (Figure 2) from the tag server 402 upon creation 
of tags 120 for each instance of software 1 1 1-1 14. Preferably, the manner in which 

15 the tags 120 are provided to the guardian center 103tFigure 2)firom thetag server 
102 is via electronic and secure distribution over theiconmiimication network 100. 
Altematively, software vendors 101 can be responsible for ensuring that^e 
guardian center 103 (Figure 2) is kept aware of tag information for^sK^h instance of 
software 111-114 that is distributed to user devices 1 04-107. 

20 A tag data structure 320 exists in the tagged software database 1 38d(Figure 9) 

for each instance of software that is used on a user device 104. As illustr^ed,^ach 
tag data structure 320 includes various fields. These fields include the tag for that 
instance of software TAG_INST_SW, the usage supervision policy 
POLICY(TAG_INST_SW) for that software, and a list ofreferences to one or more 

25 call-up records CALL-UP_R£CORDn 321 for that instance of software. 
The policy POLICY(tAG_INST_SW) associated wi& a tag 
TAG_INST_SWn for an instance of software 1 1 1-114 is prescribed by the software 
vendor 1 01 or another oiganization and defines the rules and policies with respect to 
the protection of usage rights or pay-per-use access limitations for the ii^stanceof 

30 software associated with that tag. For example, for a tag data structure 320 
associated with a specific instance of software Jl 1 1-1 14, the 
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POLICY(TAG_INST_SW) data may include a rule stating that for each use to the 
instance of software, the user device 104 must pay a prescribed fee. 

During call-up processing (to be explained shortly), when the guardian center 

103 (Figure 2) receives the tag table 210 from a user device 104, the number of 
5 times a particular instance of software 1 1 1 -1 14 has been used by that user device 

104 can be determined from the RUN COUNT column of the tag TAG_INST_SWn 
associated with the tag TAG_INST_SWn for that instance of software in the-tag 
table 210. The guardian center 103 (Figure 2) can then look to the policy 
POLICY(TAG_INST_SW) for the tag data struchire 320 associated with that tag 

10 TAG_INST_SWn in the tagged software database 138 (Figure 9). The guardian 
center 103 (Figure 2) can determine if the number of uses as indicated by the RUN 
COUNT field in the tag table 210 is greater than a previous number obtained from a 
former call-up process. If the number is greater, the guardian center 103 (Figure 2) 
can record this information for billing purposes to be sent to the owner or user 213 

IS ofthe user device 104. 

Other usage supervision policies POLICY(TAG_INST_SW) may be defined 
to cause the guardian center 103 (Figure 2) to allow only at»rtain niunber of uses to 
a particular instance of software 111-114. When the number of uses is exceeded, -the 
guardian center 103 (Figure 2) can cause the USAOE STATUS field associated in 

20 the user device's tag table 210 witfi the tag associated with the above instance of 
software, to be set to the value "GC.DISABIBD". The change is «fifected at the user 
device 104 by specifying the appropriate infomiation in the continuation message 
(CM) 212 sent from the guardian center 103 (Figure 2) to that user device 104 aSter 
analysis of tag table 210. When the user device 104 attempts to use the instance of 

25 software 111-114 associated with the tag TAG_INST_SWn that is^sabled (i.e., 
TAG_INST_SW3 m Tag Table 210 in Figure 6), use will be denied as explamed 
above in Figure 7. 

Each tag data structure 320 in the tagged software database 138 figure 9) 
within the guardian center 103 (Figure 2) includes a number of refeences to call-i^ 
30 records CALL-UP_RECORDn 32 1 as shown in Figure 10. A -call-up record 
CALL-lIP_RECORDn 321 includes axall-up time€ALL-UP_TME, the header 
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field HEADER TAG^TABLE from the tag table 210 of tiie calling usertievice 104, 
an optional hash function value of the tag table 240 HASH(TAG_TABLE), and an 
ACTIONS field. Thus, there is one CALL-UP RECORD per call-up, regardless of 
the number of tags sent. 

5 The CALL-UP_TIME field indicates the time-stamp of the-cail-up for the 

current CALL-UP_RECORDn. The HEADER_T AGITABLE contains the tag table 
header of the tag table 210 that contams the TAG_INSTjSWn for this tag data 
structure 320 as received from the calling user (fevice 1-04 -during tiie'«all-»^ 
procedure n. The HASH(TAG_TABLE) field -contains an unaliasable feash function 

1 0 value computed on all of the data in the tag table 2 W which included the tag 

TAG_INST_SWn associated with the tagiiata sttucture 320. Finally, the ACTIONS 
field lists the actions prescribed by the guardian<entertiuring the<call-up proceduFe 
n, to be performed for the instance of software 1 1 1-1 14 that is associated with a tag 
TAG_INST_SW for the tag data structure 320. Using the-tagd^ structmss 320 

1 5 for each instance of software 111-114, thcguaidian center 103 '(Figure 2)<an 

maintain detailed information related to usage supervision mechanisms for instance 
of software 1 11-1 14 used via user device(s) 104. 

Figure 1 1 shows the processing steps which result in the -CKation of the 
fingerprint data structure 137 maintained within the^guardian-center 103^igu« 2). 

20 As previously noted and explained with respect to Figure 7, fingerprints aretaje^ed 
and stored in a fingerprint table 126 withinoch user device i04 when untagged 
software, and possibly also tagged software, islfirst used on the user-device 104. 
According to this invention, software pirates may infringe iqjon legitimate vendor 
rights by eithw copying vendor software and removing the part of die software that 

25 requests confirmation of a tag or by 'creating andtlisthbuting <ierivatiyes of 
legitimate software. The software thus produced is called infringing software 
INF_SW. The fingerprint data structure 437 created within the guardian center 103 
(Figure 2) will contain fingerprints computed on an infringing instances of software 
INF_SW. 

30 In Figure 1 1 , in step 340, the software vendor lOl-detects the existence of an 

instance of infringing software (INFJSW). in stq) 341, the-software vendor 101 
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submits a copy of the instance of infringing software INF_S W to the guardian center 
103 (Figure 2). The infringing software is merely a string of binary digits (bits) 
appearing as STRING_INF{O...N]. In step 342, the guardian center computes a 
collection of fingerprints Yi on the instance of infringing software, using the same 
5 fingerprint formula FP as the supervising program( s) tSP) 209 on each of the user 
device(s) 104 use to compute fingerprints. That is, a series of fingerprints Yi are 
computed as follows: 

Yi= FP(STRING_INF{i,i+k-l]) 

where 0<=i<=n-k+l , with n-k being the numb» of fingerprints to compute. Hien, in 
1 0 step 343, the guardian center 103 (Figure 2) incorporates each of the t:omputed 
fingeiprints Yl,...Yn-k+l into the fingerprint data structure 137 in AeGCDB 300. 
In an alternative embodiment, fingerprints are computed on nonH:onsecutive 
sequences of STRING_INF, those sequences being unique or nearly unique to 
INF^SW. 

1 S The fingerprint process is then complete at the guardian isenter 103 i^igure 

2) and the infiinging software INF_S W can be discarded or can be made avail^e to 
other guardian centers 103 (Figure 2) elsewhere on this or another communication 
network 100. 

At this point, when the supervising program (SP) 209 on a user device 104 
20 detects a request to use an untagged (and possibly infiinging) instance of software 
UNTAGGED^SW 111-1 14, the supervising program (SP) 209 records fingerprints 
of lJNTA(jGED_SW. Later when the SP 209 pofomis a call-up procedure to 
transfer the tag table 210 and the fingerprint table 126 to the guardian center 1^3 
(Figure 2), the recorded fingerprints of UNTAGGED JSW will be sent. In one 
25 embodiment, an access request on a user device 104-107 to Use the untagged 

instance may cause the call-up to occur. Using general-location fingerprinting, the 
fingeiprints in the fingerprint table 126can be compared4o the fingeiprints in the 
fingeiprint data structure 137 at the guardian center 103<FigiH« 2). if the^softwsw 
instance UNTACXjED_S W is a copy of an infiinging software instance INF_S W 
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that the guardian center 103 (Figure 2) has been made aware of and has -fingerprinted 
on its own, this will be detected and punitive action can be carried out on the user 
device 104 via return of a continuation message 212. In another^mbodiment, the 
system-call behavior (i.e. the sequence of system calls) of UNT AGGED jSW on 

5 user device 1 04 is compared with the system call behavior expected of flMFJSW on 
the guardian center 103 (Figure 2). In another embodiment, theisteps detailed in the 
last two paragraphs are applied also in the case of a request on a user device for use 
of tagged software. 

Aside from the fingerprinting aspects of this invention, dimng axall-up 

1 0 procedure to be explained next, the verification program 3 1 5 in the guardian^cent-er 
1 03 (Figure 2) also reads and compares the information in Ae tag tabk 2 1 0 with 
information in the tag software database 138 CFigure 9) to make usage supervision 
decisions. 

Figure 12 illustrates the steps performed by the supervising program<SP) 
15 209 executing on a user device 104 to perform a call-up procedure in a preferr-ed 
embodiment of the invention. The steps in Figure 12 iffe perfomied within ^q) 273 
in Figure 8. 

In step 370 in Figure 12, the supervising program (SP) 2Q9^alls up the 
guardian center 103 (Figure 2). By call-iq), what is meant is that the-supervising 

20 program (SP) 209 on the user device 104 connects with or exchanges messages with 
the guardian center 103 (Figure 2) via communication networic 100. in theprefeiwd 
embodiment, the supervising program <SP) 209 sends the HEADER_TAG_TAfiLE 
to the Guardian Center 103 (Figure 2). The Guardian Center 103 (Figure 2) causes a 
call-up failure unless the previous continuation menage consisting of the 

25 ID_TAG_TABLE of the device, the time as of the last call-up 

LAST^CALLUP^TIME is equal to CALLUP.TIME of the most recently 
CALL_UP record having this same HEADER^TAG^TABLE. An advantage of this 
embodiment is that even if several devices 104-107 have the same 
nD_TAG_TABLE (Row 1 of tag table 210 in Figure 6) and the same tags 2iO <an 

30 occuircnce that is normally due to piracy), those same4evi©es may hav^^^eoeived, 
but will not properly accept the same-continuation message 212 for a reason to be 
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explained below, so only one device (i.e., one of 104-107) will send a particular 
HEADER^TAG^TABLE, 

A call-up is made in accordance with the CALL-UP_POLiCY or 
CALL-UP_POLICY(TAG_INST_S W) as explained above in response to a user's 

5 attempt to use an instance of software 1 1 1-1 14 on a user device 1 04-107. That is, 
when the user 2 1 3 attempts to use an instance of software 1 1 1 - 1 1 4 for which the 
time allowed before the next call-up according to the CALL-UP JPOLiCY of tiie 
user device 104 or the CALL-UP.POLICY(TAG_INST_SW) of the software ^SW) 
for that instance has expired, the supervising program 209 on that 4evice 104-1 07 

1 0 initiates step 370. In anotfier embodimmt, &e SP 209 executes a caH-up pnx^dure 
at a chosen time before the expiration time, regardless of whether a use of an 
instance of software 1 11-1 14 is requested. The CALL-UP_POLICYcan be 
maintained within the supervising program 209 on the user^vice 104. In addition, 
it is possible that a call-up may occur because a portion of the sup^vising program 

1 5 209, executing regardless of use requests, detmnines that it is time to p^omi a 
call-up. For example, it may take place as the result of a<^«tain nimiber of 
BOOTUPS (power-ups) of a user device 104-107 having taken pia©e or the&st use 
of untagged software. 

If the call-up to the guardian center 103 (Figure 2) in step 371 fails, then 

20 processing proceeds to step 376 where punitive action may be perforaied by liie 
supervising program <SP) 209 on the user device 104. in the prefaced «nbodimait, 
the supervising program (SP) 209 will p^fomi a new call-up, retrying several times 
before beginning punitive action. In the case that punitive action is necessary in step 
376, the punitive action may merely be to infomi the user 213 that the instance of 

25 software 111-114 that was requested is temporarily inaccessible due to a 
communications failure. 

If the call-up is successftil and a connecticm is established to the^ardian 
center 103 (Figure 2) from the user device 104, titen in 372, the supervising pro^OTi 
(SP) 209 preferably securely sends or transmits the tag table 210 from the user 

30 device 104 to the guardian center 103 (Figure 2). In an alternative embodiment, the 
supervising program <SP) 209 also sends the tingexprint table 12^40 the gu^dian 
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center 103 (Figure 2) as well. That is, the fingerprinting aspects of this invention 
may or may not be incorporated into an embodiment in order to detect the use of 
user created or user modified infiinging software. 

After step 372 is complete, the supervising program (SP) 209 enters a wait 

5 state until a continuation message (CM) 2 1 2 is 'sent and received from the guardian 
center 103 (Figure 2). Alternatively, the supervising program S? 209 may go into a 
sleep state after step 372 is complete and run again following an interrupt fix)m the 
Operating System (OS) 207. In an alternative embodhnent, the supervising program 
SP could continue to process requests Sx)m the user.<}uardian center 103 (Figure 2) 

1 0 call-up processing will be explwned shortly with respect to Figures 1 3 A and 1 3B. 
When the guardian center 103 (Figure 2) has completed its call-up procedure 
processing, a continuation message (CM) 212 is sent to the user device 104. 

In step 373, the supCTvising program (SP) 209 checks for the return of a 
continuation message 212 as defined in the call-up policy GALL-UP_P(H:iCY of 

15 the user device 104. As an example of checkingfor a continuation message<OM) 
212 within the call-up poUcy CALL-UP_POLICY, «tep 373 may ensure that no 
more than a certain amount of elapsed time goes by before receiving the 
continuation message (CM) 212. If too much time elapses before r^eipt of a 
continuation message 212, the call-up policy may be violated. 

20 Other factors can be used to determine if a call-up violation existe as well, 

such as the inability to validate a digital signature in the continuation message 212. 
Another factor determining a call-up violation is that the 

HASH(EVENT_HISTORY) field in the continuation message 212 is not tiie same 
as the hash of the event history recorded in the user device 104 as of the time^f the 

25 last call-up, HASH (EVENT^HISTORY^AS^OF.MOST^RECENT^CALLUP). 
This might arise if there are two devices 104-107 having the^ame^onfiguration and 
ID_TAG_TABLE, due to piracy, but only one perfomis acall-up. Because of the 
event history, only one of Ae devices it)4-lt)7 would accept the continuation 
message 212, The other device would have to do its own call-up and tfiis would lead 

30 to acall-up failure because the HEADER_TAG_TAfiLE (Row one in Table 210 in 
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Figure 6) would match on ID_TAG_TABLE but would fail to match onxaU-up 
time, as explained above. 

If the CALL-UP_POLICY is violated in step 373, processing proceeds to 
step 376 and punitive action can be performed at the user device 104. In this case, 
S punitive action may include notifying the user 213 that a-call-up cannot proceed and 
that the instance of software 1 1 1-114 requested must be temporarily denied acoess or 
disabled. Alternatively, the user device 104 can be deactivated For some time. 

If step 373 determines that a continuation message tCM) 212 iS"r«:eived and 
is acceptable as being within the lunitations defined in CALL-UP^POIiCY, in step 

10 374, the continuation message (CM) 212 is passed to the supervising program <SP) 
209. Then, in step 375 the supervising program (SP) 209 veriiks thecontinu^on 
message (CM) 212 via a digital key signature technique and -executes-each acticm in 
the continuation message 212 for each tag TAG_INST_SWn in the tag table 210 of 
the user device 104. That is, the supervising program (SP) 209 updates the USA<SE 

1 5 STATUS and ACTION TIME columns for each tag TAtj JNST^S Wn in the tag 
table 210. In this manner, the system 109 of the invention allows Ae user device 
104 to periodically obtain tag table 210 updates from thctguardian center 103 
(Figure 2). 

Since the supervising program^SP) 209 s^es as an inteiface between the 
20 user 213 and the instances of installed software 1 11-114 on a user device 104, the 
supervising program 209 implements the usage supervision mechanisms described 
herein preferably on the user device 104. By requiring the tag TA<j_&IST_SWn for 
an instance of software 1 11-1 14 to be in a "CONTINUED" usage status state, which 
can be changed only during call-up processing, usage sup^vision is ultimately 
25 managed by one or more guardian centers 103 (Figure 2). The guardian centei<s) 
103 (Figure 2) are responsible for detemiining wheth^ or not a tag in a tag table 210 
for a user device 104 should be in a "CONTINUED" or '•GC^DiSABI^D" state as 
per policies defined for tags and fingerprints. 

Figures 1 3 A and 1 3B present one continuous flow chM that show the steps 
30 perfomied by the verification program (VRP) 315 in the guardianxenter 103 {Figure 
2) during call-up processing according to apFeferred-^nbodiment of the invention. 
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The guardian center 103 (Figure 2) is made aware oFat:all-up procedure whOT a user 
device 104 (i.e., supervising program 209) makes the initial call-up processing 
connection or contact with the guardian center 103 j(Figure 2) instep 370 of Figure 
12. In response thereto, in step 410 of Figure 13 A, the verification guardian center 

5 103 (Figure 2) receives the tag table 210. The guardian ^center 103 (Figure 2) also 
receives the fingerprint table 126 firom the user device L04 if there is any software 
on the user device 104 that is installed but not tagged witti a tag TAG^INSTjSWn 
in the tag table 210. Again, the fingerprint aspects of the invention are optional but 
are provided in a preferred embodiment of the invention, t>ecause they permit the 

1 0 detection of infringing software. 

In an alternative embodiment, the guardian^enter 103 <Figure 2) may receive 
a portion of the tag table 210 only, such as, for example, the 
HEADER_TAG_TABLE and a portion of the tags (column 1) in the tab^ble 210. 
The tags 120 received can be those that the guardian -center 103 j^igure 2)^quests 

15 or can be chosen at random or may be only the tags 120 that the us^- device needs 
for use of instances of software at ttiat moment. Another possibility is that the tags 
120 can correspond to those instances of software that are pay-par-use orliave a 
fixed number of uses. The advantage of this alternative is that it reduces both the 
communication costs and the processing costs. 

20 In another altem^ve embodiment, the guardian center 103 ^l^igUK 2) 

receives the HEADER_TAG_TABLE j[top row of tag table 210 in Figured) only. 
This embodiment makes guardianxenter call-ups inexpensive and can woik well 
when each TAG_INST_SW includes an n)_TAG_TABLE field, as will be 
explained below. 

25 Returning now to a description of call-up processing with respect toTigure 1 3 A, in 
step 41 1, the guardian center 103 <Figure 2) chedcs to^^nsure tiiat the call-up is in 
accordance with the call-up policy CALL-UP_POLiCY associated with^e user 
device 104. Call-up policies CALL-UP J»OLICY(s) for user devices 104-107 are 
preferably maintained at the guardian center 103 {Figure 2), and/or may be provided 

30 firom the software vendors 101 or user device manufacturers<not'shown) firom time 
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to time to instruct the guardian center 103 (Figure 2) how to determine how 
frequently a user device 104 must call up to verify and update its teg table 210. 

Step 41 1 can be performed using, for example, HEADER_TA<j_TABLE 
information fields such as the unique identification of the tag table 210 contained in 

5 the E)_TAG_TABLE field. If the call-up is not in accordance with the 

CALL-UP_POLICY, step 416 prepares specified punitive action(s) to beK:arTied out 
by the supervising program (SP) 209 when the continuation message (CM) 212 is 
returned from the guardian center 103 (Figure 2) to the user device 104. 

Processing proceeds to step 412 from both steps 416 and 41 1, at which point 

10 the verification pro-am 315 v«iSes the si^»ed and/or unsigned'tags 

TAG_INST_SWn in the tag table 210. The verification performed in step 412 may 
be a digital signature verification for the signed tags TAG_iB«fST_SW in the tag table 
210. For the unsigned tags, the HASH_INST_SW value may be used to check that 
the secret number NUM_n^ST_SW within the tag TAG_INST_SW is-consistent 

15 with HASH_INST_SW for that tog. This is possible because HASH_iNST_SW is a 
hash function value that is computed partly from NUMJNST_SW. In addition, 
NIJM_INST_SW must be found in SPARSE_SET and must be associated with 
NAME_SW of TAG_INST_SW. 

For each unverified tog TAG_INST_SWn d^eoted in step 412,^ep 417 

20 prepares a specified punitive action based on the usage supervision policy 

POLICY(TAG_INST_SW) associated with the instance of software 111-114 for the 
unverified tog TAG_INST_SWn. Punitive action in thisxase may include 
instructions to disable the user device 104. Note that the punitive action specified in 
step 41 7 will be carried out after it is communicated to the user device 104. 

25 Usage supervision policies POLICY(TAG_INSTJSW) associated with 

instances of software 1 1 1-1 14 are maintained at the guardian center 103 (Figiffe 2), 
and may be provided from the software voidors 101 from time to time to instruct the 
guardian center 103 (Figure 2) how to handle usage supervision for tiie various 
instances of software 1 1 1 -H 4 produced by the software vendors 101 . That is, the 

30 software vendors 101 can provide the instairces of software 1 1 l-l 14 to 104-107 <for 
a fee for example). To enforce use -restrictions on -those instance 111-1 14, the 
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software vendors 101 can create the policies POLICY(TAG_INST_SW) for the 
instances 1 1 1-1 14 and can provide these policies to the guardian centers 103 XFigure 
2). During call-up procedures, the guardian centers enforce or police the policies 
CALL_POLICY(TAG_INST_SW). As an alternative embodiment, the policy for 

5 one instance of software (i.e. 1 1 1 ) may differ from that for another instance <i.«. 
1 12) of that same software, assuming 1 1 1 and 1 12 have the^ame software content 
SW. This enables the invention to enforce usage supervision, for exan^le, 
differently for two users of the same program, since each instance has its own 
associated tag and call-up policies can be maintained on an instance by instance or 

1 0 user by user basis. 

hi any event, at the guardian center 103 "(Figure 2), after «ach tag 
TAG_INST_SW in the tag table 210 is verified for authenticity (Stq) 412), or after 
punitive action is prepared for each unverified tagtStq) 417), processing proceeds to 
step 413 where each verified tag TAG_INSTjSWn in the tag tabic 210 is checked 

15 against the tagged software database 138 figure 9). Essentially, step413 checks 
that each tag TAG_INST_SWn in the tag table 210 associated wiA an instance of 
software 1 1 1-1 14 used on the user device 104Xi.e., the user device performing 
call-iq) processing) is being used in accordance with the usage -supavision policy of 
the instance of software P0LICY(TAG_INSTJSW). After each tag is tested in-step 

20 413, processing proceeds to step 414. 

The checking process performed in stq) 413 can be performed in a variety of 
ways. According to one embodiment, the ta^ed software database 138 tfigure 9) 
contains a list of associations between tags TAG_INST_SWn and supervising 
program identifiers (209-As) and the times that these associations w«e discovaed. 

25 In this embodiment, the verification program (VRP) 3 15 -can compare the tags in the 
tag table 210 against the list of 

TAG_INST_SW-HEADHl_TAG_TABLE-CALLUP_TIME associations^o 
determine whether the same tag 120 (Column 1 in table 210) is on two devices 
1 04- 1 07. If a tag 1 20 is found associated with several HEADKl_TAG_TABLEs, 
30 punitive action can be prepared in st^ 418. 
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In a preferred embodiment of the invention, the guardian <5«nter*s verification 
program VRP 315 employs the data structure (Figure ID, 320, 321) associated with a 
tag 120 TAG_INST_SW to check whether the instance of software 1 1 1-1 14 
associated with that tag 120 was used on the calling user device W4 in accordance 
5 with the usage supervision policy POLICY(TAX}^E^IST^SW) specified for that 
instance of software 111-114. For exampie, if the usage supervision policy specifies 
that the same instance of software, (i.e, the same tag), must not be present on two 
different user devices, (e.g. 104 and 105), in a usable status J[«.g., USAGE STATIC 
= CONTINUED) at the same time, the detailed data in thexall-up records 321 for 

1 0 the tag enables the VRP 3 1 5 to check whedier tiie policy was violated. 

After each tag 120 TAG_INST_SWn in the tag tatble 210 has been checked 
by step 41 3, the tags 1 20 in tag table 2 10 may or may not have associated punitive 
action that has been specified in relation to those tags, if punitive action lias been 
specified due to an improperly copied tag or a tag that is hot used in aoccMPdance with 

15 a usage supervision policy, processing proceeds to step 420 where the v^fication 
program VRP 315 in the guardian center lD3 XFigure 2) prepares and sends the 
specified punitive action back to the user device 104 via a ^continuation message 
(CM) 212. Such a continuation message (CM) 212 is used to impose pxmitive action 
on a user device 104 and contains "GC^DISABLED" action values for the USAXjE 

20 STATUS fields of all tags TAG^INSTjSWn in the tag table 210 that are in violation 
of the policy POLICY(TAGJNSTjSW). 

Note that in the preferred embodiment, if at least one tag TAGJNSTJSW 
violates the usage supervision policy POLICY(TAG_INSTJSW) or is found to-exist 
in the compromised tag list in the tagged software database nS^Figiffe 9) ti>en 

25 punitive action is specified in step 418 and is enacted in step 420 without ftulher 
continued processing. In an alternative embodiment, punitive action can be 
specified for each compromised or policy-violating tag TAG_INSTJS W in step 418 
and processing may be directed to continue to stq> 414. 

As an alternative treatment of tagged software, the above tag processing can 

30 occur on only a portion of the tag table. For example, processing may be done only 
on those tags for which the user device 104-107 (i.e. tiie supervising program 209 on 
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the user device) is requesting access (i.e., the instance£s) of software attempting to 
be used). In this case, the continuation message 212 would specify -continued or 
punitive action only for instances of software associated with the^gs that are 
processed at the guardian center 103 (Figure 2). 

5 As another alternative embodiment, no tag processing at all need take place 

for software purchased for unlimited use, thus eliminating the activities associated 
with step 372 (Figure 12). Instead, only the HEADER_TAG_TABLE needs to be 
verified. In this case the HEADER_T AGITABLE (top row in figure 6) includes 
the ID_TAG_TABLE and event history (Figure 6). In this embodiment, -each tag 

10 1 20 includes an ID_TAG_TABLE in addition to HASH_SW, NA]Sffi_SW and 
NUM_INST_SW. The ID_TAG_TABLE value may be written into the tag 120 
(Column 1) at the time of purchase and should be sea argumoit to die ha^ function 
in step 1 53 in Figures 3 A, 3B, and 3C resulting in HASH_INST_SW. Since 
E) TAG_TABLE includes ID(SP) 209-A and since ID(SP) 209-A is based on a 

1 S rarely duplicated value including, for example, die microsecond value time when die 
device 1 04 is first powered up, each ID_TAG_TABI£ value should occiff on only 
one physical device in the absence of piracy. 

Piracy, in the form of copying the disk image, may cause a sin^ 
ID_TAG_TABLE vahie to occur on several physical devices<<:reatii^ "twins"),^>ut 

20 the LAST_CALLUP_TD^ field in die IffiADER_TAG_TABLE of the4evice 104 
and the CALLUP.TIME in die CALLUPJRECORD in tiie authentication database 
138 (Figure 9) in the guardian center 103 j^^igure 2) will-fail to match at call-up 
time, and so the verification of HEADER_TAG_TABLE will fail. This will cause 
the guardian center 103 to take punitive action if two call-up messages are sent from 

25 two identically configured devices 104-107. 

Further, die two of devices 104-107 cannot try to share die samexall-iq) 
procedure, because dieir HEADER_TAG_TABl£s willdiffer due to die HASH 
(EVENT_HISTORY) field in each of flieir tag tables 210. "Since diat hash^unction 
value is sent in the continuation message 212, only one of tiie devices 104-107 will 

30 be able to properly process that continuation message 212. In the case where two 
devices are acting in duplicate, the supervising program 209 is dius ^le to recognize 
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the attempted duplication and to take punitive action. Therefore, ^ach 
ID_T AGITABLE value can be on or associated with only one device 104-107 or a 
call-up failure will occur. When a tag includes ID_TAG_TABLE, the supervising 
program 209 on a device 104-107 will allow the instance of software 111-114 

5 associated with that tag 120 to be used only if the ID_^TAG_TABLE value in the tag 
120 matches that on the proper device. As a result, each instance of software 
111-114 will be used on only one device 104-107 and that device will have an 
ID__TAG_TABLE value that matches the ID_TAG_TABLE value in the tag 120. 
In step 414, the verification program (VRP) 315 detemiines if any entries 

10 exist in the tag table 210 for untagged instances of software. An untagged instance 
of software installed on a user device 104-107 is indicated in the tag -table 21v0 by a- 
special tag UNTAGGED^S W and the USAGE STATUS column for that untagged 
software is set to UNTAGGED. This UNT AGGED^S W tag entry is prefer^ly 
created during the installation or first use of the user created software and the 

1 5 fingerprinting process is preferably performed by ibe user device 104 upon -fest 
detection of untagged software as explained with respect to figure 7. 

In Figure 13 A, if the verification program (VRP) 315 detects an untagged 
entry in the tag table 210 in step 414, step 415 is executed. The processing of step 
415 obtains each fingerprint list from the fingerprint table 126 which was fransferaed 

20 to the guardian center 103 m step 410. The fingerprint table 126 consists of a list of 
fingerprints for each untagged instance of^oftware. TTie verification program (VRP) 
315 matches each fingerprint list Xi in the fingerprint table 126 against every 
fingerprint list Yj in the fingerprint data structure 137 in the'GCDB 300 using 
general-location fingerprint checking, as explained above. If more than a specified 

25 number of matches are found between fiiigerprint lists Xi and Yj, then the guardian 
center has detected the use of mfiinging sofftware and processing {sroceeds to step 
420 where punitive action is prepared and sent to the user device 104 that performed 
the call-up. The software vendor 101 who creates the non-infiinging versions of the 
infiinging software may also be notified. 

30 It is computationally expensive to compare each list of fingerprints Xi 

against every fingerprint list in the guardian c^iter and since this is the most 
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expensive operation in the call-up, one embodiment accomplishes this somewhat 
differently. In this embodiment, a fingeiprint list called an Inverted Guardian 
Fingerprint Table is constructed which contains all of the fingerprints of all the 
infringing software, but without duplicate fingerprints. XJsing this &iv«ted<jUMdian 

5 Fingerprint Table, the guardian center 1 03 examines each list Xi and determines 
how many fingerprints in this list match fingerprints in the Inverted Guardian 
Fingerprint Table (stored as fingerprint data structure 1 37). If more <han a ^)ecified 
numbCT of matches are found, then a detailed check is made of Xi against^each Yj, to 
determine if a close match in the number of fingeiprints occins. If stq) 41 5 does 

1 0 not detect any finger^mnt lists Aat match, step 4 19 is processed to determine if any 
punitive action has been defined fi-om either of the-earlier steps 41 1 or 412. Jf-so, 
processing proceeds to step 420 as previously described. 

If no punitive action is defined in step 419, ^ep 421 is process^. This^step 
handles all tags TAG_INSTjSWn that are known to the guaidian-eenter 103 to be 

IS pay-per-use tags. That is, the guardianxenta: 1-03 'can maintain widiinAe tagged 
software database 1 38 (Figure 9) a list of all instances of software 1 1 1-1 14 that »e 
to be accounted for on a pay-per-use basis. Step 42 1 examines the tag XiiAe 2 10 for 
any such tags (Column 1) and upon detection of one or more pay-par-use tags, st^ 
421 causes the guardian center to send accounting infoxmation^not shown) to the 

20 software vendor 1 01 concerning the us^e characteristics of that pay-pCT-view or 
pay-per-use instance 1 1 1-1 14. The RUN COUNT or USE miE ^fields of a tag 
entry in the tag table 210 can be used to determine pay-per-use statistics. If a 
pay-per-use tag is expired, the USAGE STATUS field for the tag TAGJNSTjSWn 
for that instance of software in the tag table 210 is ^t to ''GC_DIS ABLED". This 

25 can be done by preparing a disable action DiSABLE(TAG_INST_SW) for the tag. 
This disable action can be incorporated into thexontinuation message 212, as will be 
explained shortly. 

After pay-per-use processing in step 421 is complete, step 422 creates a 
continue action CONTlNUE(TA'G_lNST_'SW)for every fiiUy verified and 
30 unexpired tag TAG_INST_SW in the tag-table 210. This <5ontinue action will be 
incorporated into the continuation message '(CM) 212. 
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In step 423, the verification program 315 prepares a continuation message 
(CM) 212 to be returned to the user device 104. The continuation message (CM) 
212 contains several fields. A TIME field indicates the current time fi*om<:lock 304 
and a ID_TAG_TABLE field indicates the unique identification of the tag table 210 
5 originally sent to the guardian center 103 in step 410 of the call-up processing, as 
well as an encoding of the event history at the time of the cail-up HASH 
(EVENT_HISTORY). An ACTIONS field contains a list of actions ACTIONS = 
(ACTIONSl, ACTI0NS2,...ACTI0NSN) selected fix)m the a list of available 
actions for a particular user device's 1 04 supervising pro^-am j(SP) 209. A hash 
10 fimction value is also included and is computed on the actions HASH( ACTIONS). 
Finally, a digitally signed value on the entire <:ontents of the continuation message 
212 is included to ensure that the continuation message 2 12 cannot ^e forged by a 
site or host on network 100 posing as a guardian center 103. Preferably, the signed 
value appears as follows: 

15 SIGN^GC(TIME, 

ID_TAG.TABLE3ASH(ACTI0NS)JiASH(EVENT_HIST0RY)) 

Once all of the fields of the continuation message (CM) 212 are con^lete, 
the verification program 315 securely sends or transmits the continuation message 
(CM) 212 back to the supervising program (SP) 209 within tiie user device 104 that 
20 initiated the call-up in step 410. In one embodiment, this may use a public Icey 
provided by the device upon call-up. If a pirate sets up two devices that have the 
same public key, only the one device having the correct event history will be able to 
process the continuation message 212 according to this embodiment of the 
invention. 

25 Finally, in step 425, the guardian center 103 creates a call-up record 

CALL-UP_RECORDn associated with the call-up procedure. The guardian center 
103 appends a reference to this call-up record CALL-UP_RECC«Dn to the tag data 
strucnire 320 (Figure 10) associated with this TAG_INST_SW. A reference is either 
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a memory pointer or a unique identifier of the CALL-UP K£GORD. The ^contents 
of the call-up record are discussed above with respect to Figure 10. 

An example of the usefuhiess of this aspect of the invention will highlight 
some of its features. Suppose, for example, a user 213 purchases a one year license 
5 to use an instance of software 1 1 1-1 14, and that after that one year period has 

expired, the user 213 does not renew the license. Since tfie user 213 does not^-enew, 
the software vendor 101 desires to disable the instance of software I H-i 14 for 
which the user 213 is no longer maintaining a license. Using this invention, the 
vendor 101 can simply set the policy POLICY(TAG_INST_SW) at Ae guai^dian 

10 center 103 associated with that instance of software 1 1 1-1 14 to disable ^e instaitee 
upon the next call-up to the guardian center 103 from the usct device 104^uipped 
with the instance 111-114. In this manner, dynamic usage supervision is provided 
without requiring the user 21 3 to turn in his copy of the instance of softwjKe 
1 1 1-1 14. If the user 213 later desires to renew the license, tiie vendor 101 merely 

15 alters the policy POLICY<TAG_INST_SW) at the ^guardian center 403 and the next 
call-up will update the tag table210 in the user device L04 with a CONTINUED" 
status tag TAG_INST_SW for that instance 1 1 1-1 14. 

The various components of the continuation message CM 212 pFq)ved by 
the guardian center GC 103, and the above mentioned digital signatiHe incorporated 

20 into the CM 212 serve several important purposes in embodiments of Ihe invention. 
The continuation message 212 instructs the receiving user device's 104 si^)ervising 
program 209 how to update thelTSAXjE STATUS column in the device's taglable 
210 and which punitive actions, if any, to enact. The identifying hashTfunction and 
other values in the CM 212 tFigure 13B, 423) make it virtually impossible for a 

25 dishonest user 213 to use any continuation message 212 other than the one actually 
produced by the guardian center 103 in response to tfie^urrent call-up from the user 
device (i.e., one of i 04- 107), for successful -completion of the required call-up 
procedure. Also, an adversary agent or host cannotxause damage such as denial of 
service to a user device (i.e., 104), by sending an illegitimate CM 212 to the device 

30 104. 
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As described in the above preferred embodiments, the invention provides a 
mechanism to detect, control and supervise usage of instances of software 111-114 
that are either created and distributed (i.e., sold) from software vendors 101, or 
instances that are pirated and illegally distributed with attempted access by user 
5 device 104. By providing an unforgeable and authentic tag TAG_BfST_SW^t 
uniquely identifies each instance of software 111-1 14, usage supervision is 
achieved. In the preferred embodiment, same location fingerprinting is ifsed to verify 
that TAG_INST_SW is property associated with a software instance INST_SW. 

Fingerprinting may be used for slightly diffeent purposes as well. t)ne such 

1 0 purpose is to check the textual integrity of the operating system 207. This^an be 
done by having one portion of a program check another pcHtion or another program 
by the aforementioned fmgerprinting process. This prevent tampering with, for 
example, the supervising program 209 or the operating system 207. 4n anotiier 
embodiment, an external hardware device such as an electronically programmable 

1 5 read-only memory can perform this check when the machine or device 11)4-107 is 
powered on. In either case, the checking pip^xim can compute a hash &ngei|Kint as 
explained above on some portion of the operating systrai program 207, for example, 
and will cause the device to fail if it finds a mismatch in fingerprints, f ingerprintiiig 
may also be used by the operating system 207 to check the supervising program 209 

20 text. The supervising program 209 in turn can use the hash of the ev^ttistoiy for 
verification or authenticity checking. 

This operates, for example, as follows: the si^ervising program 209 can 
update the hash of the data tag table 210 afiareach update using an incremental hash 
function method such as MD5. Periodically, before updating the tag table 210 with 

25 a new event, the supervising program 209 can verify that the hash function value it 
has is equal to the hash of the tag table. When any of these checks Tail, the 
supervising program 209 or operating system 207xan take punitive action. In this 
manner, aspects of the invention can be used to detect device or software tampering 
of software which operates as the invention itself. 

30 A further use of fingerprinting is 4o verify ttiat specific vendor software 

submitted to the tag server 102 with a request for ta^ 120 for instances of that 
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software 1 1 1-1 14, is not an illegitimate copy or derivative of another le^imate 
vendor's software SW. Such an action, were it possible, would permit a pirating 
vendor to distribute another legitimate vendor's software SW witii associated 
tag-server produced authentic tags 120. This aspect of the invention prevents fliis 
5 form of piracy by fingerprinting the newly created software and using general 
location fingerprinting to compare the new software against existing software to see 
whether the newly submitted vendor software is suspiciously similar to legitimate 
vendor software SW. 

An instance of software 111-114 may have its tag checked either when it is 

10 installed or when it is first used. Tags may also be checked •(i.^. v^erified via eith» 
hash ftmctions, signatures, or call-up procedures) later. One reason for waiting until 
the software is first used is that the software may be large, so that checking may 
entail less overhead when the software is run than when it is first installed. 
Because of failures, the state of a device may have to be restore to a 

15 previous state. In this case, a user 213 must contact the Guardian Center 103 to 
warn that an old HEADER_TAG_TABLE may need to be sent. Auspicious uses of 
this privilege can be tracked easily at the guardian 'center 103* 

Figure 14 illustrates data structures used by an alternative embodiment of 
this invention which can eliminate the need for Guardian Center call-i^ for 

20 software that produces shared data files. An example is a word processing program. 
Acquaintances often exchange word processingHies and may exchange the word 
processing software as well. Typically, the first case is permitted whereas the 
second case of exchanging software applications is not. To prevent such piracy, an 
embodiment of the invention can change the software ^plication p^gram to write 

25 the TAG_INST_SW 120 associated with that program, as well as, for exan^le, die 
ID_TAG_TABLE, and the time of last access in an invisible location ofeach shared 
file, as shown in data structure 600 in Figure 14. The program also may write the 
TAG_INST_SW and time of last access into the TAG_TABLE 601, also ^wn in 
this figure. 

30 The data structure '600 stored in the invisible location (invisibje to the user, 

that is) m a shared ^ottware data file (i.e. a docunoentfpr^xample, vefm^io h^in 
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as an SSD) may be placed in a comment section of the shared software-data SSD "file 
and can be accompanied by an unaliasable hash function which preiferably uses the 
three arguments: TAG_INST_SW, H)_TAG_TABLE and time of last access 600. 
Figure 15 illustrates the steps of an embodiment of the invention that 

5 provides the above noted software infringement protection mechanisms. In stqj 700 
of Figure 15, when supervising program SP 209 on a first user <ievice (i.«. user 
device 104) having an ID_TAG_TABLE X detects an access to a shdxed software 
data SSD, the supervising program 209 -examines shared software data SSD and 
records within a predetennined location within die shsffed software data SSD that 

1 0 shared software data SSD was accessed by the software instzmce (i.-e. one of 

1 1 1-1 14) having a TAG_BSfSTJSW T at a specific time, then, in step 701, when an 
instance of software (potentially on anodier machine or another user 'devioe^«.g., 
105) attempts to execute and access the shared software data file SSD, the 
supervising program 209 on the user device 105 senses tbe-existence of data 

1 5 structure 600 in the shared sofhvare data file SSD and obtains die tag T finm the 
SSD and checks the tag table 210 on user device 105 <the device obtaining the 
shared file, but not necessarily the creating device of the file SSD) to see whetl^ the 
tag T is in the tag table 210. If the tag T does not exist, dien the instance of softwa© 
being used on the secondary device 105^tfae device obtaining^ shared data) to 

20 access the shared software data SSD has not been cq)ied, and thus ^ess is allowed 
to proceed to step 703. 

Alternatively, if in step 701 die tag T does exist in the data stiucture €00 
stored within the shared software data SSD, then processing proceeds to step 702. 
In step 702, the supervising program 209 on the-secondary device 105 tests whether 

25 the instance of software j[e.g, one of iiiistanoe 1 1 1 - 1 14 on the-secondary device 105) 
associated with the tag T wrote die shared software datable at the time indicated in 
the data structure 600 embedded in theSSD. If not,i)iracy has occurred and the 
supervising program 209 performs punitive action on the secondary user device in 
step 704. If step 702 determines that Ae-current instance of software 1 1 1-1 14 on the 

30 secondary device 105 did access the-shared software <iata SSD as indicated by die 
information in the data structure 600 embedded in die SSD,4ben processing 
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proceeds to step 703 where access to the shared software data is allowed. Note that 
this embodiment is advantageous by requiring no Guardian Center-call-ups, other 
than, perhaps, one at the time of the purchase or installation of the software instance 
111-114 or for purposes of detecting injfringing software. 

5 In another embodiment of this invention, different software instances of the 

same software differ depending on a device identifier. Tlie advantage of such an 
embodunent is to reduce the needed communication with the guardian c^it-en T^ie 
disadvantage is that each software instance must be difJ^ent (as opposed to only the 
tag's being different) and cannot be moved from device to device, in this 

1 0 embodiment device identifier is constracted from a processor identifier if available 
(some processors such as a Pentium III built by Intel Corporation bav^ a processor 
identifier) or preferably from the supCTvising program identifier, which may 
incorporate a processor identifier as described above. -Each software instance 
incorporates the identifier of the device that is to use that software instance in a»test 

1 5 inside the software instance's code. Such a test may be-expressed in theC language 
for example as an 'Mf statement." The test compares the incorporated i^ti'fier with 
the device identifier. The software, upon executing, performs the4est. If the 
comparison succeeds, then the device may use the software instance. If the 
comparison fails, the device may not use the instance and may inform the 

20 supervising program to take punitive action. A would-be pirate may modify the 

program so that the program doesn't check the device identifier, l^iis is analogous to 
making tagged software appear as if it is untagged and therefore infringing. 
Software whose device test has been modified or removed may be -detected by the 
fingerprint-based mechanism described in Figure 13 A, starting with st^ 414 in 

25 Figure 13A. 

A variant on this embodiment is that the vendor sends both the device 
identifier and a signed digital signature of the hash of the software instance 
incorporating the device identifier. 
This can be computed as follows: 
30 SIGN_VENDOR{HASH_INST_SW), 

where HASH^H^ST.SW =flAS«{SW, DEVICE^ IDENTIFIER) 
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Here, SIGN_VENDOR is the digital signature of the vendor and the 
HASH_INST_S W is computed from the contents of the software (identical for all 
instances) plus the incorporated DEVICE^IDENTIFIER, The software instance 
incorporating the device identifier would preferably place that identifier at the 

5 beginning or at the end of the contents of the software in order to make the having 
process inexpensive. A second test verifies that the digital signature 
SIGN_VENDOR is authentic and a third test verifies that the sent 
HASH_INST_SW is equal to the value resulting from hashing the software instance. 
Both tests are performed by the supervising program on the user device, if either the 

10 digital signature is not authentic or HASH_INST_SW has a different value from the 
hash of the received software instance, then punitive action is taken 4>y the 
supervising program. 

In the above descriptions, the tag server 102, the guardiamDento: 103 and the 
vendor 101 have been described separately. Alternative embodiments are possible 

15 in which these roles can be unified. For example, a single site or networked host or 
server may serve as both the guardian center 103 and the tag server 1 02. Or a 
software vendor 101 may serve all three roles, further still, even if each process or 
role is separated, some of the functions allocated to one component ti.e.^tag server, 
guardian server, vendor) in the embodiments above may be performed by other 

20 components. For example, same-location fingerprinting may be performed at the 
vendor 101 instead of at the tag server 102. 

While this invention has been particularly shown and described with 
references to preferred embodiments thereof, it will be understood by those skilled 
in the art that various changes in form and details may be made therein without 

25 departing from the spirit and scope of the invention as defined by the appended 
claims. 
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CLAIMS 

What is claimed is: 

1 . A system for supervising usage of software comprising: 

a software vendor producing instances of software; 
5 a tag server producing a plurality of tags, one tag per instance of 

software, each tag uniquely identifying an instance x>f software witii which it 
is associated; and 

a user device receiving and installing an instance of soflwsffe and 
securely receiving a tag uniquely a^ociated with that instance of-software, 
10 the user device including a supervising program which det€cts attempts to 

use the instance of software and which verifies the authenticity of the tag 
associated with the instance of software before allowing use of ^ itistaiice 
ofsoftware. 

2. The system of claim 1 , wherein the supCTvising program on the user device 
1 5 verifies the authenticity of the tag and maintains the tag in a tag t^ie and 

maintains the instance ofsoftware if the tag is authentic and rejects the 
instance ofsoftware if the tag associated with the software is not autiientic. 



3. The system of claim 2, wherein the supervising program verifies a hash 
fimction value in the tag to determine if the tag is authentic and is properly 

20 associated with the instance of -software. 

4. The system of claim 2 wherein the tag is digitally signed and the supervising 
program verifies the authenticity of the tag by verifying a digital signature of 
the tag. 

5. The system of claim 1 wherein each of the plurality of tags-created by the tag 
25 server comprises at least one of a name of software, a unique number of an 
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instance of software and a hash function value on portions of an instance of 
software. 

6. The system of claim 5 wherein the unique number of the instance of software 
is selected from a sparse set of numbers. 

5 7. The system of claim 5 wherein each tag further comprises a unique identifier 
of the supervising program. 

8. The system of claim 7 wherein the supervising program verifies diat the 
unique identifier of the supervising pro^iun in a tag is the same as an 
identifier of the supervising program on the user device. 

10 9. The system of claim 1 wherein each tag includes at least one fing^rint 
computed on portions of the instance of software associated with the lag. 

10. The system of claim 9 wherem the supervising program verifies that the 
software instance associated with a tag satisfies a same-location fingerprint 
check against the at least one fingeriKint included in the tag associated witii 

15 the instance of software. 

11. The system of claim 1 0 wherein the same-location fingeiprint check is 
performed by the supervising program at at least one time of before, during, 
and after use of the instance of software. 

20 12. The system of claim 9 wherein each tag further includes at kast one list of 
locations containing values from which the at least one fingerprint is 
computed and the supervising program verifies that the software instance 
associated with each tag satisfies a same-location fingeiprint check against 
the at least one fingerprint associated with the^software at locations specified 

25 in the at least one list of locations. 
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13. The system of claim 1 wherein whenever any data file is accused by the 
instance of software, information associated with the instance of software 
perfomiing the access is stored in a location associated with the datable. 

14. The system of claim 13 wherein the information associated with the instance 
of software is the tag associated with the instance of software. 

15. The system of claim 13 wherein the information associated with the instance 
of software is the time of modification performed by the instance of software 



16. The system of claim 13 wherein the information associated with the insta!K:e 
10 of software performing the access is written to a secure location which the 

siipervising program alone can access. 

17. The system of claim 1 6 wherein the supervising jM-ogram verifies that when 
an instance of the software attempts to access a data tile having associs^ 
information stored in the location associated with that data file, tiie - 

15 supervising program verifies that the associated information stored is 

information associated with the instance of software currently attempting 
access. 

18. The system of claim 16, wherein the supervising program uses an unaliasable 
hash ftmction to verify the associated information ^ored in the location 

20 associated with the data file for which access is <:urr^tly 4>eing attempted. 



19. The system of claim 1 further comprising: 
a guardian center including: 

a tagged software database; and 
a verification pro^^; 
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the guardian center periodically communicating with the user device 
via a call-up procedure to receive tags from the user device, said tags 
associated with instances of tagged software used on the u^ device, the 
verification program examining each tag received from the user device 
5 against the tagged software database to ensure that the tags are inxompiiance 

with at least one usage supervision policy, and the verification program 
returning a continuation message to the user device, the continuation 
message indicating for the instance of software associated with eacb<ag on 
the user device an action to follow; and 
1 0 the supervising program on the user device verifying the continuation 

message for authenticity and if authentic, peiforming the action io follow 
indicated in the continuation message. 

20. The system of claim 1 9 wherein at least one of the 'software vendor, the tag 
server, and the guardian center are combined with another of the at least one 

IS of the software vendor, the tag server and the guardian ^cCTter. 

21 . The system of claim 19 wherein the maximum allowed time interval between 
successive call-up procedures is determined by at least one of acond)inatipn 
of the time elapsed in the user device, a number and duration of uses of 
instances of software, a number of times the user device is powered on, and a 

20 measure of use of the user device. 

22. The system of claini 2 1 wherein when a user device fails to peiform a call-up 
procedure with the guardian center before the end of a maximum allowed 
interval since the last call-up procedure, the user device is disa1>led for a 
period of time. 



25 23. 



The system of claim 21 wherein when a liser-device fails to peiTorm a call-up 
procedure with the guardian center before the end of a maximum allowed 
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interval since the last call-up procedure, usage of certain instances of 
software is denied for a period of time. 

24. The system of claim 19 wherein a call-up occurs when an instance of 
software is used a first time on a user device. 



5 25. The system of claim 19 wherein a call-up occurs due to a request by the 
guardian center. 

26. The system of claim 19 wherein the supervising program tests an 
authenticity of the continuation message by verifying that a hash function 
value of a tag table in the continuation message is the same as a hash 

1 0 function value of a tag table sent in a call-up message &om the us^-device. 

27. The system of claim 26 wherein the authenticity of the^-continuation message 
is tested by the supervising program by verifying that a digital signature in 
the continuation message is produced by the guardianii^tcr. 

28. The system of claim 19 wherein a user device that receives no continuation 

1 5 message following a call-up mesisage to the guardian center res^ids a call-up 

message with a cancellation command for a previous call-up message. 

29. The system of claim 1 9 wherein at least one usage si^)ervision policy is 
associated with at least one individual instance of software with which at 
least one tag is associated. 

20 30. The system of claim 1 9 wherein at least one usage supervision policy is 
associated with the entire user device with which the guardian center 
communicates during the call-up procedure 



wo 00^2119 



PCTAJSOO/11821 



■107- 



3 1 . The system of claim 1 9 wherein at least one usage supervision policy is 
associated with an individual user of the user device with which Ae guardian 
center communicates during the call-up procedure. 

32. The system of claim 19 wherein at least one usage supervision policy is 

5 associated with a usage supervision history of the user device with which the 

guardian center communicates during the call-up procedure. 

33. The system of claim 19 wherein the guardian crater maintains a tag data 
structure in the tagged software database for each tag associated with each 
mstance of software on each user device. 

10 34. The system of claim 33 wherein each tag data structure includes a tag of an 
instance of software, a usage supervision policy associated with the instance 
of software, and a collection of references to call-up records. 

35. The system of claim 34 wherein each call-up record in the<:oll^on of 
call-up records represents infomiation concerning one cdl-up procedim £md 

IS the continuation message associated with the call-up procedure iiurludes at 

least one of a call-up time, a header of a tag table transferred to the guardian 
center during the call-up procedure, a last call-up time indicating a time 
stamp of a former call-up procedure, a hash function value of the tag table 
transfeired to the guardian center during the call-up procedure, and actions 

20 to follow on the user device. 

36. The system of claim 1 further comprising: 

a guardian center including a verification program; 
the guardian center periodically communicating with the user device 
via a call-up procedure to receive a unique identifier for the user device's 
25 supervising program fiiom the user device, the v^Scation pro-am 

examining the unique identifier to ensure liiat at niost one supervising 
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program has that identifier, and the verification |H'ogram returning a 
continuation message to the user device, the continuation message indicating 
an action to follow upon attempted use of the instances of software 
associated with each tag on the user device, 
5 the user device's supervising program verifying the continuation 

message for authenticity and if authentic, performing the action in the 
continuation message. 

37. The system of claim 36 wherein the supervising program identifier is 

10 generated a first time that the supervising progjram is invoked, based on a 

rarely duplicated number. 

38. The system of claim 37 wherein the rarely duplicated number is a very 
precise clock value occurring when the supervising program is "fiist invdk^ 
in the machine. 

1 5 39. The system of claim 37 wherein the rarely duplicated ev^ent is a number 
provided by a guardian center. 

40. The system of claim 1 fiirther comprising:, 

an untagged instance of ^software used on the user-device; 

wherein the supervising program detects the use of the untagged 
20 instance of software and performs a fingerprinting process on the untagged 

instance of software and stores fiiigerprints resultiiig fix)m^elGngeiprinting 
process on the user device. 

41 . The system of claim 40 where the user device's -supervising program fiirtber 
performs a fingeiprinting process on a tagged instance of software used on 

25 the device and stores the fingerprints resulting &om the fingerprinting 

process in a fingerprint table on the user device. 
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42. The system of claim 41 wherein the supervising program stores locations 
from which the fingerprints are computed. 

43. The system of claim 41 wherein the fingerprints are based on contents of the 
instance of software. 

S 44. The system of claim 41 wherein the fingeiprints are based on known 
sequences of behavior of the instance of software. 

45. The system of claim 41 furtiier comprising: 

a guardian center including: 

a fingerprint data stracture; and 
10 a verification program; 

the guardian center periodically communicating ^dth die user device 
via a call-up procedure to receive all fingeiprints from the user device for an 
instance of software used on the user device, the verification program 
comparing every fingerprint received from the user device against the 
1 S fingerprint data structure to determine if an instance of software used t)n the 

user device is an infringing instance of software. 

46. The system in claim 45 wherein if the verification program detects more than 
a specified number of matches between fingeiprints in the guardianc^^r^s 
fingerprint data structure and fingerprints received from the user device, the 

20 verification program specifics a punitive action to be performed, and the 

verification program returns a continuation message to the ^er device, the 
continuation message indicating the punitive action to be peiformed on the 
user device. 



47. 

25 



The system in claim 46 wherein the fingerprint matching process is at least 
one of general location or same location fingerprint matching. 
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48. The system in claim 46 wherein the frngerprint matching uses an inverted 
guardian center fingerprint table. 

49. The system of claim 46 wherein the punitive action specifies that the user 
device be disabled for a specified length of time. 

5 50. The system of claim 46 wherein the punitive action specifies that the 

instance of software associated with thelingerprint that was matched to a 
fingerprint in the fingerprint data structure of the guardian center should be 
disabled for a specified length of time. 

51. The system of claim 46 wherein the punitive action depends on at least one 
10 of a combination of the history of the behavior of tiie user devi<:e, the history 

of the behavior of a particular user on the user device, and the collection of 
other software on the user device. 

52. The system of claim 45 wherein the software vendor -transmits a copy of an 
infiinging instance of software to the guardian center and tiie-guardian cenier 

15 computes fingerprints on the copy of the infiinging instance of^softwarc and 

incorporates and stores the fingerprints into the fingerprint data structure on 
the guardian center. 

53. A tag table data structure encoded on a user device's readable medium, the 
tag table data structure including at least one tag that is uniquely associated 

20 with one instance of software and including at least one field associated with 

the tag in the tag table, and including at least one field indicating a usage 
status associated with the tag associated with the instaiK:e of software. 

54. The tag table data structure of claim 53 where the at least one field indicates 
use statistics for the one instance of software associated with the tag. 
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55. The tag table data structure of claim 53, further including atag table header 
that uniquely identifies the tag table. 

56. The tag table data structure of claim 53 wherein the tag table header includes 
information concerning user device use statistics and includes ax:ontinuation 

S message. 

57. A software vendor comprising: 

a software production mechanism creating instances of softwar-e •each 
having at least one of a name and software content; 

each instance of software being usable only in conjunction with a tag 
1 0 that is unique to that instance of software, the tag being a unique luiforg^able 

collection of information concerning the instance of software with whidi the 
tag is associated and including at least one of the name of the softw^e, a 
unique nimiber of the instance of software and a hash function vdueon 
portions of content of the software 

15 58- The software vendor of claim 57 wherein the tag includes an identifier of the 
supervising program associated with a user device upon which the instance 
of software is to be used. 

59. The software vendor of claim 57 wherein the tag includes a list of 
fingerprints of portions of the instance the software with which the tag is 

20 associated. 

60. The software vendor of claim 57, further comprising: 

an infringing software detection mechanism detecting software that is 
infringing on the vendor's rights and trarofemng a copy of the infringing 
software to a guardian center so that usage supervision -can be implemented 
25 to detect attempted use of an instance of the infringing software on a user 

device. 
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61 . The software vendor of claim 60, further comprising: 

an infringing software detection mechanism detecting software that is 
infringing on the vendor's rights and transferring a copy of the infringing 
software to a guardian -center, the guardian center invalidating any tag 
5 associated with an instance of die infringing software and sending a punitive 

action to any user device detected by the guardian center to have used the 
instance of infringing software, 

62. A user device comprising: 

an input port receiving an instance of software and receiving a4ag 
1 0 uniquely associated with that instance of software and receiving a t:equest to 

use the instance of softwaie; 

a processor executing a supervising program, the supervising 
program detecting the request to use the instance of ^oftv^^are and verifying 
the authenticity of the tag associ^d with the instance of software bef(»e 
15 allowing use of the instance of softwaretiy the uso: device. 

63. The user device of claim^2, wherein 4he sup^rising program verities the 
authenticity of the tag and stores the tag in a tag table and mamtains the 
instance of software if the tag is authentic and rejects the instance of^oftware 
if the tag associated with the software is not authentic. 

20 64. The user device of claim 63, wh^in the supervisuig program computes a 
hash ftuiction value on the instance of software and^ompares the computed 
value with a hash ftmction value in the tag to -determine whether the tag is 
authentic and is properly associated with &e instance of software. 

65. The user device of claim 63 wherein the tag is digitally signed and the 
25 supervising program verifies the authenticity of tag 1)y v^mfying a ti^al 

signature of the tag. 
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66. The user device of claim 63, wherein the tag table is a data structure ^ored in 
storage on the user device and contains at least one tag that is uniquely 
associated with an instance of software and includes at least one field 
associated with the tag in the tag table, the at least one field indicating a 

5 usage status for the instance of software associated with the tag. 

67. The user device of claim 62 wherein the supervising program determines that 
a call-up procedure is required as defined by a call-up policy and the 
supervising program performs the call-up procedure to update the usage 
status of tags stored in the tag table. 

10 68. The user device of claim 62 wherein the supervising program verifies <hat 

each data file used by tagged software is produced by a legitimate instOTGet)f 
software. 



69. The user device of claim 67 wherein during performance of the<:di-up 
procedure, the supervising program securely transmits the tag table &om the 

1 5 user device via an interconnection mechanism coupled to the user xkvice and 

awaits reception of a continuation message returned to the usertJevice, the 
continuation message indicating actions to be performed for each tag in the 
tag table. 

70. The user device of claim 67, wherein during the perfomiance of the call-up 
20 procedure, the supervising program securely transmits a tag table header 

from the user device via an interconnection mechanism coupled to the user 
device and awaits reception of a continuation message returned to the user 
device that indicates an action to be performed for each tag in the tag table. 



71. 

25 



The user device of claim 62 fiirther comprising: 

an untagged instance of software used on the user device; 
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wherein the supervising program detects the untagged instance of 
software and performs a fingerprinting process on the untagged instance of 
software and stores fingerprints resulting from the fmgeiprinting process in a 
fingerprint table on the user device. 

5 72. The user device of claim 71 wherein the supervising program det-emines that 
a call-up procedure is required as defined by a call-up policy and the 
supervising program performs the call-up protsedure to iq)d^ the usage 
status of untagged instances of software stored on the user device. 

73. The user device of claim 72, wherein during performing the cail-up 
10 procediu^, the supervising program transmits a portion of the fingerprint 

table from the user device via an interconnection mechanism ^coupled to 4he 
user device and awaits reception of a continuation message returned to the 
user device that indicates actions to be performed for.«ach imtagged instance 
of software stored on the user device. 

IS 74. A guardian center comprismg: 

a tagged software database; and 

a verification program executing on a processor in the guardian 

center, 

the guardian center periodically executing a cail-up procedure to 
20 receive, via an interconnection -mechanism, tags for instances of software, the 

verification program examining each tag reived against the lagged 
software database maintained on the guardian center to ensure that the tags 
are in compliance with at least one usage supervision policy, and the 
verification program transmitting a continuation message via the 
25 interconnection mechanism indicating actions to follow upon attempted use 

of the instances of software associated with each tag received by the-guardian 
center during the call-up procedure. 
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75. The guardian center of claim 74 wherein at least one usage supervision 
policy is associated with each instance of software with which at least one 
tag is associated. 

76. The guardian center of claim 74 wherein at least one usage supervision 
5 policy is associated with a user device with which the guardian center 

communicates to receive tags. 

77. The guardian center of claim 74 wherein at least one usage supervision 
policy is associated with an individual user of the user device with which the 
guardian center communicates to receive tags. 

1 0 78. The guardian center of claun 74 wherein the guardian-eenter maintains a tag 
data structure in the tagged software database for-^acfa tag associated with 
each instance of software on each user device and receives newly-created 
tags associated with instances of software &om a tag server and fiulj^ 
receives tags associated with instances of software used on a user device m a 

15 tag table transmitted from the user device. 

79. The guardian center of claim 78 wherein each tag data structure includes at 
least one of a tag of an instance of software, a name of the instsmce of 
software, a imique number of the instance of software, a hash ftmction value 
on the instance of software, a usage siq)ervision policy associated with the 

20 instance of software, and at:ollection of ref^ences to call-up records 

associated witii the tag associated with the said instanceof softw^e. 

80. The guardian center of claim 79, wher«in^h<:all-up record in tiie 
collection of call-up records represents iriformation<:onceming one call-iqp 
procedure and includes at kast one of axall-up time, a header of a tag table 

25 transferred to the guardian^enter during the t:aH-up procedure, a last call-up 

time indicating a time stamp^f a former^ali-up procediH?e, a hash function 
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value of the tag table transferred to the guardian^enter during die ^all-up 
procedure, and the action to follow on the user device ^contained in the 
continuation message associated with the call-up procedure. 

81. A guardian center including: 
5 a fingerprint data structure; and 

a processor executing a verification program; 
the verification program periodically executing a call-up procedure 
with a user device to receive, via an interconnection mechanism, fmgerprints 
for instances of software used on the user device, the verification pro^^ 
1 0 examining each fingerprint received against the fingerprint data structure *to 

determine if an untagged instance of software used on a user device is an 
infringing instance of software, and if so, the v^fication program preparing 
a punitive action to be executed on the user device. 

The guardian center of claim 81 wherein all vendor software is fingerprinted 
and infringements of one vendor's software upon anotiier vendor^ software 
are detected based on at least one of same location or general location 
fingerprint checking. 

The guardian center in claim 81 whcrem if the verification program detects a 
sufficient number of matches between a fingerprint in the fingerprint^data 
stmcture and a fingerprint within the fingeiprmts received, the verification 
program specifies punitive action to be performed, and tl^ verification 
program transmits a continuation message, the continuation message 
indicating a punitive action to be performed on a receiver of the-continuation 
message. 



82. 

15 



83. 

20 



25 84. 



The guardian center of^laim 83 wherein the sufficient number is one. 
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85. The guardian center of claim 83 wherein the sufficient number is greater than 
one. 

86. The guardian center of claim 85 wherein the sufficient number is computed 
as a weighted sum of matches where the weight of each match depends on a 

5 fingerprint that matches. 

87. The guardian center in claim 83 wherein the fingeq)rint matching technique 
is general location fingerprint checking. 

88. The guardian center of claim 83 wherein the punitive action specifies 
disablement of the receiver. 

1 0 89. The guardian center of claim 83 wherein the punitive suction qjecifies that the 
mstance of software associated with the fingeiprint that was matched to a 
fingerprint in the fingerprint data structure should be disabled. 

90. The guardian center of claim 81 wherein the verification program receives, 
via the mterconnection mechanism, a copy of an infringing instance of 

15 software and computes fingerprints on the copy of the untagged infiinging 

instance of software and incorporates and stores thelfingerprints in the 
fingerprint data structure. 

91 . A tag server accepting a copy of specific vendor software and producing a 
plurality of tags, one tag per instance of the software, -each tag uniquely 

20 identifying an instance of software with which it is associated, and each tag 

comprising at least one of the name of the software associated with the t^, a 
unique number of the instance of software associated with the tag, and hash 
fimction values computed on portions of the instance^f software associated 
with the tag. 



wo 00/72119 



PCTAJSOO/11821 



-118- 



92. The tag server of claim 9 1 , further including a digital -signature mechanic 
used to digitally sign the tags and to securely transmit the tags to an intended 
receiver. 

5 93 . A method for supervising usage of software comprising the steps of: 
creating an instance of software; 

creating a tag that is uniquely associated with the instance of 
software; 

distributing the instance of software and secw-ely distributing the tag 
10 to a user device and receiving the instance of software and the associated 4ag 

at the user device; 

detecting an attempt to use the instance of the-^oftwsffe on the user 

device; 

determining if the attempt to use the instance of the software is 
1 S allowable by determining a status of the tag that is associated with the 

instance of software to be used. 



94. The method of claim 93 wherein the step of <:i«ating a tag includes the sibeps 
of: 

assigning a unique number to the instance of software; 
20 computing a first hash function value on portions of the content of "the 

instance of software; 

computing a second hash function value for the instance of software, 
the second hash function value combining &e name t>r the software, the 
unique number of the instance of software, and the fkst hash function value. 
25 computing a tag that is uniquely associated with the instaiK:e of 

software, the tag including the name of the softwar*e, the unique number of 
the instance of software and the second hash value. 



95. 



The method of claim 94, wherein the step of computiiig a^tag^cieates a 
digitally signed tag by applying a digital signature function to the second 
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hash function value to produce a signature and including the signature in the 
tag. 

96. The method of claim 93, wherein the step of distributing the tag to a user 
device includes the step of securely distributing the tag to a software vendor 

5 and user device using a public key encryption technique. 

97. The method of claim 93 wherein the step of receiving the instance of 
software includes the step of: 

obtaining the instance of software at the user device; and 
wherein the step of receiving the tag at a user device includes the 

10 steps of: 

securely obtaining the tag associated with the instance of software at 

the user device; 

determining if the tag associated with the instance of-software is 
signed, and if so, verifying a signahire on a hash function value in the tag and 
15 if the signature on the hash function value is verified, installing the software 

on the user device, and if the tag associated with the instance of -software is 
not signed, installing the instance of software on the usenievice. 



98. The method of claim 93 wherein: 

the step of detecting an attempt to use the instance of the softwwe on 
20 the user device includes the steps of: 

invoking a supervising program on the user device to 
intercept a user request for use of the instance of ^software; and 

wherein the step of detenmining if the attempt to use the instance of 
the software is allowable includes the steps of: 
25 determining if a call-up procedure is needed based on a 

call-up policy and if so performing the next three st^s: 
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perfonning a call-up procedure to verify the auth^ticity and 
to determine the usage supervision policy of tbe^ag associated with the 
instance of software; 

updating tag information in the user device based upon an 
5 outcome of the call-up procedure; and 

examining status information associated with the tag to 
determine if use of the instance of software associated with the tag is 
allowed. 

99. The method of claim 98, wherein the step of perfbnning a call-up f>roeedure 
10 includes the steps of: 

transmitting a tag table storing the tag associated with the instance of 
software from the user device; 

awaiting reception of a continuation message returned 4o the user 
device that indicates an action to be performed for each tag in the4ag stable. 



15 100, The method of claim 98, fiirther including the step of v^iiying that^ 
continuation message is directed towaids this device and that tfae event 
history corresponds to the event history at this device. 



101 . The method of claim 98, wherein the stq) of peiforming a caii-up {irocedure 
includes the steps of: 

20 receiving a tag table including the tag associated with the instance t>f 

software; 

examining each tag received in the tag table against a tagged'^ftware 
database to ensure that tags in the tag table are in-compliance with at least 
one usage supervision policy; and 
25 transmitting a continuation message indicating an action to folbw at 

the user device upon detecting an attempted use of the instances of softw^^^ 
associated with each tag. 
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102. The method of claim 101, wherein the continuation message includes: 

a supervising program identifier of the supervising program to which 
the continuation message is to be sent; 

the time when the continuation message was prepared; 
S an encoding of the tag table header that accompanied the call-up from 

the device. 



103. A method for supervising use of software comprising the steps of: 

detecting use of an untagged instance of ^software on a user device; 
creating and storing fingerprints associated with the untagged 
1 0 instance of software on the user device; 

detecting an attempt to use the untagged instance of the software on 
the user device; and 

determining if the attempt to use ihc instance of the software is valid 
by comparing the fingerprints associated with the untagged inst^oice of 
1 5 software with a fingerprint data structure of infiinging fingerprints and 

disabling use of the untagged instance of software if a ^igaprint match is 
found. 



104. The method of claim 103 fiirther comprising the stq)s of: 

detecting use of a tagged instance of software on a iKer device; 
20 creating and storing fingerprints associated with the tagged instance 

of software on the user device; 

detecting an attempt to use the tagged instance of the software x>n ^ 
user device; and 

determining if the attempt to use the instance of thesoftware is valid 
25 by comparing the fingerprints associated with the tagged instance of software 

with a fingerprint data structure of infiinging fingerprints and disabling use 
of the tagged instance of software if a fingerprint match is found. 



105. 



The method of claim 103, further including the steps of: 
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detecting, by a software vendor, an instance of infringing softw^e; 
submitting a copy of the instance of infringing software to a guardian 
center; and 

computing fingerprints at the guardianx^enter on the infringing 
5 instance of software and incorporating and storing the fingeiprints in a 

fingerprint data structure. 

1 06. A method for uniquely identifying instances of software comprising the sisps 
of: 

obtaining an instance of software; 
10 assigning a name to the instance of software; 

assi gning a unique number to the instance of ^software, the unique 
number being different from any unique number assigned to moth^ instance 
of the same software; 

computing a hash function value on portions of the instance of 
IS sofbvare; 

computing a second hash function value on aconcatenation of die 
name of the instance software, the number of the instance^software, and the 
first computed hash function value to produce an unsigned hash function 
value xmique to that instance of software; 
20 signing the imsigned hash function value using a key to produce a 

signed hash function value for the instance of -software; and 

creating a tag associated with the instance of softwsre tiiat uniqudy 
identifies that instance of software, the tag including the signed hash value of 
the instance of software, the name of the instance of software, the unique 
25 number of the instance of software, and the unsigned hash value of the 

instance software. 



107. 



The method of claim 106, wherein the stsps of obtaining the instance of 
software and assigning a namelo the software arep^ormedl^y asoftware 
vendor and the -steps of assigning a unique number to the instance of 
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software, computing the first and second hash fiinction values, signing the 
second hash value, and creating the tag are performed by a tag server* 

108. A computer readable medium encoded with instructions tfiat when read and 
executed on a processor perform the following steps: 

5 detecting a request to use an instance of software; 

determining if a tag corresponding with the instance of software has m 
associated status that allows the instance of software to be used; and 
periodically performing a call-up procedure to validate the authenticity .of the 
tag and to ensure that the instance of software corresponding to the tag is 

10 used in accordance with an usage supervision policy. 

1 09. A propagated signal transmitted via a^arrier over a conmiunications 
medium, the signal carrying an encoded tag table data stractiire which 
includes at least one tag that is uniquely associated with one instance of 
software and includes at least one field associated with the tag in ibe tag 

15 table, the at least one field indicating a use control status for the one instance 

of software associated with the tag. 

110. A propagated signal transmitted via a carrier over a medium, the signal 
carrying an encoded continuation message, the continuation message 
containing an indication of actions to be perfomied at a receiver of the 

20 propagated signal when an attempt to use an instance of software associated 

with the actions is detected at the receiver. 

111. A method for ensuring that a software program hasn't been altered 
comprising the steps of: 

computing an unaliasable hash Amotion value on contents of the software 
25 program; and 
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comparing the result of the unaliasable hash function with a result of 
a previously held hash value to detennine if the results are the same, thus 
indicating if a software program has been altered. 

1 1 2. The method of claim 1 1 1 wherein the operating system computes the 

S unaliasable hash function value and the software program is the supervising 

program. 

113. A method for ensuring that data has not been altered by means of computing 
an unaliasable hash function value on the contents of that data and 
comparing the said value with a previously t:omputed hash function value. 

10 1 14. The method of claim 113 wherein the supervising program computes the 
imaliasable hash function value and the data used by the*supervising 
program. 

115. The system of claim 19 wherein all messages between the gusurdian^center 
and the user device are sent in a secure fashion* 

IS 116. The system of claim 1 1 5 wherein liie secure fa^on involves public key 
encryption. 



1 1 7. The system in claim 38 wherein the rarely duplicated number is further based 
on the values of at least one memory location. 

1 1 8. The guardian center of claim 80 wherein the^uardian cent^lests whether 
20 the last call-up time recorded in the continuation m^sage from theiievice 

matches the call-up time of the most recent call-up record recorded on tiie 
guardian center for this device. 

119. A system for supervising U5age<)f softwareicomprising: 
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a software vendor producing instances of software, 
a user device receiving and installing an instance of software, 
the user device including a supervising program, 
an untagged instance of software used on the user device; 
S wherein the supervising program detects the use of the untagged 

instance of software and performs a fingerprinting process on the untagged 
instance of software and stores fingerprints resulting fi^om the fingerprinting 
process on the user device. 

1 20. The system of claim 1 1 9 where the user device's supervising program "fiutber 
10 performs a fingerprinting process on an untagged instance of soltwai^ used 

on the device and stores the fingerprints resulting from the Sngeiprintiiig 
process in a fingerprint table on the user device. 

121 . The system of claim 120 wherein the supervising program stores locations 
from which the fingerprints are computed. 

15 122. The system of claim 120 wherein the fingerprints are based on the cont^tts 
of the instance of software. 

123. The system of claim 120 wherein the fingerprints are based on teiown 
sequences of behavior of the instance of software. 

124. The system of claim 120 further comprising: 
20 a guardian center including: 

a fingerprint data structure; and 
a verification program; 

the guardian center periodically communicating witfi the user device 
via a call-up procedure to receive all fingerprints from the user device for an 
25 instance of software used on the user device, the verification program 

comparing ^very fingerprint receive from the user device against the 
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fingerprint data structure to determine if an instance of software used on the 
user device is an infringing instance of software. 

125. The system in claim 124 wherein if the verification program detects more 
than a specified number of matches between fingexprints in ihc guardian 
5 center's fingeiprint data structure and fingerprints receiyed front the user 

device, the verification program specifies a punitive action to j^eperfonned, 
and the verification program returns a continuation message to the user 
device, the continuation message indicating the punitive action 4o be 
performed on the user device. 

10 126. The system in claim 125 wherein the fingerprint matching process is at teast 
one of general location or same location fingerprint matching. 

127. The system in claim 125 wherein the fingerprint matching uses an inverted 
guardian center fingeiprint table. 

128. The system of claim 125 wherein the punitive action ^specifies that the user 
15 device be disabled for a specified length of time. 

129. The system of claim 125 wh^^in the punitive action specifies that the 
instance of software associated with the fingeiprint that was matched to a 
fingeiprint in the fingerprint data structuFe of the guardian center should be 
disabled for a specified length of time. 

20 130. The system of claim 125 wherein the punitive action dt^nds on at^east one 
of a combination of the history of the behavior of the user device, the history 
of the behavior of a particular user on the user device, and the collection of 
other software on the user device. 
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131. The system of claim 1 24 wherein the software vendor transmits a copy of an 
infringing instance of software to the guardian center and the guardian crater 
computes fingerprints on the copy of the infringing instance of software and 
incorporates and stores the fingerprints into the fingerprint data structure on 

5 the guardian center. 

132. A software vendor comprising: 

a software production n>echanism creating at least one instance of 
software incorporating a device identifier inside a test and 

a user device receiving and installing the instance of software, 
10 the test comprising the comparison of the incorporated identifier with 

the identifier of the device upon which the softw^e instance is to he used; 

if the incorporated identifier equals the device identifier then the 
software instancecan be used, otherwise punitive action is taken by the 
supervising program on the device. 

15 133. The software vendor of claim 132 wherein the software vendor sends a 
digital signature of the hash of the instance of software and 

a second test determines whether the digital signature is authentic, 
a third test determines whether the value signed is equal to the hash 
of the instance of software, 
20 wherein if the digital signature is not authentic or the signed value is 

different torn the instance of software, then the supervising program in Ae 
device takes punitive action. 

1 34. The software vendor of claim 1 3 1 wherein the device identifiw is 

incorporated at the beginning or at the end of thecontents of the software 
25 instance. 



135. 



A method for supervising usage of software comprising the steps of: 
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creating an instance of software incoiporating a'devioe identifier 
inside a test, the test comprising the comparison of the incorporated identiBer 
with the identifier of the device upon which the software instance is to be 
used; 

5 distributing the instance of software to a user device; 

determining if the attempt to use the instance of the software is 
allowable by performing the test and allowing use if the incorporated 
identifier equals the device identifier then the software instance can be used, 
otherwise performing punitive action 



10 136. The method of claim 1 35 compriising the additional steps of: 

sending a digital signature of the hash of the inistanc^ of software; 
determining whether the digital signature is authentic, 
determining whether the value signed is equal to the hash of the 
instance of software, 

15 wherein if the digital signature is not authentic or the signed value is 

difTerent from the instance of software, then the sup^vising jH^ogram in the 
device takes punitive action. 



137. 



The method of claim 135 wherein the device identifier is placed at the 
beginning or at the end of the software instance. 
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150 

OBTAIN COPY SW OF NAMED SOFTWARE 
(NAME.SW . SW) AND REQUEST FOR TAGSTO 
INSTANCES OF SW FROM VENDOR 



151A 

ASSIGN UNIQUE NUMBER (NIJJ JNST SW^^^^ 

INST.SW OF NAMED SOFTWARE tNAME_SW. SW) 



152 

COMPUTE HASH_SW = HASH(SW) 



153 



CREATE HASH VALUE FOR INST_SW 
HASHJNST.SW = HASH(NAME_SW. NUM.INST.SW. HASH.SW) 



154A 

CREATE SIGNED TAG FOR SOFTWARE 
TAG INffT SW = (NAME_SW.NUMJNST_SW.HASHJNSTJSW. 
TAt._«M5» - '^K3N_TS(HASHJNSTJSW) ) 
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SECURELY DISTRIBUTE TAGJNST.SW TO 
VENDOR AND/OR-GUARDIAN CENTER 

AND/OR USER OEVICC 
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150 

OBTAIN COPY_SW OF NAMED SOFTWARE 
(NAME_SW. SW) AND REQUEST FOR TAGSTO 
INSTANCES OF SW FROM VENDOR 



151B 

ASSIGN UNIQUE NUMBER (NUM_INST_SW) TAKEN FROM 
SECRET SPARSE SET SPARESET TO INSTANCE INST^SW 
OF NAMED SOFTWARE (NAMEjSW. SW) 



I 

152 



COMPUTE HASH_SW = HASH(SW) 



1-53 

CREATE HASH VALUE^R INST_SW 
HASHJNST.SW = HASH(NAME_SW. NUM_INST_SW. HASH_SW) 
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CREATE UNSK3NED TAGfOR SOFTWARE 
TAG_INST_SW = ( NAME_SW. NUMJNST_SW. HASHJNST.SW ) 
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FIG. 38 



wo 00/72119 



PCtAJSOO/11821 



5/18 



160 

OBTAIN COPY OF SW OF NAMED SOFTWARE 
(NAME SW, SW) AND REQUEST f OR TA6SK) 
INSTANCES OF SW FR OM VENDOR 

i 

151C 



ASSIGN UNIQUE NUMBER (NUMJNST.SW) TO INSTANCE 
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250 

USER DEVICE OBTAINS INSTAfCE INST.SW 
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REJECT INSTANCE OF 
SOFTWARE (SW) 



YES 



I 



256 

ACTIVATE DEVICE 
PUNITIVE ACTION 



YES 



25S 

STORE TAG CTAG_INST_SW) FOR 

NAMED SOFTWARE 
(NAME SW.SW) INTO TAG TABLE 
AND INSTALL INST.SW ON USER 
DEVICE 



INSTALUNG TAGGED INSTAW3E OF VENDOR 
SOFTWARE (SW)ON UBS? DEVICE 



FIG. 5 



<MID gll l lHL OUgCr/mil E<1« 



wo 00/72119 



pcT/usoo/imi 



8/18 



UJ 
—I 
CO 



LU 

1 

tu 

CO 
3 



LU 

CL 

-J 
—I 
< 



<0 



LU 



CO 

< 



I 



II 

LU 
-J 
CD 
< 



CM 



Q 

2 



<0 
Q. 

o 
o 

CD 

.1^ 



UJ 
CQ 

S 
D 
Z 



Z 



z 

o 1 
< I- 



co 

I 

LU 



to 



00 

in 

o 
o 



CM i 

O 



Q 
LU 
D 



Z 

O 
o 



CO 



o 
o 



CO 



CO CO 

^ oi 

CM O 

CO GO 

^ CD 

CM CM 



a in 



z 



4? 



o , 
o i 

o 
o 



o , 



CM i 

O 



LU 
-J 
CD 

S5 



CO 

I 

z 



CO 



o 
o 

d 
o 



00 
CM 



00 

55 

CM 



O 

LU^ 

Z 

Z 

O 

o 



to 



o 

LU 
O 

I 



I 

UJ 

z 

3 



to 
o 

a 



a. 



UJ 

o 
a 



(31 
LU 
CO 



It 

LU 
-J 
CD 

5 



lU 
CD 

I 

LU 
CD 

s 

z 
>- 



o 



CD 
LL. 



wo 00/72119 



PCTAJSOO/11821 



9/18 





330 

USER INSTALLS INSTANCE OF UNTAGGED 
SOFTWARE ON USER DEVICE 
UNTAGED.SW = STRIN6{0...N] 












331 

SUPERVISING PROGRAM FINGERPRINTS UNTAGGS) SOFTWARE 

XI = FP<STRING[i,i+k-1]) 
FOR m CHOSEN INDEXES 0<= i <=N-k+1.FOR A Fl)^ STANDARD k 







i 



332 
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FIG. 7 



wo 00^2119 



PCT/US00/11(B1 



10/18 



270 

USER REQUESTS 
INVOCATION OF 
INSTANCE OF 
SOFTWARE 



I 



271 

^Uf^flVISING PROGRAM 
INTERCEPTS CALL TO 
REQUESTED SOFTWARE 




CON- 


INUE 


275 




ALLOW 




ACCESS 





276 
DENY 
ACCESS 



277 
UPDAT€TA<3 
TABl£ 



USAGE SUPERVISKDN PROCESSING 



FIG. 8 



wo 00/72119 



PCT/US00ni821 



11/18 

TO COMMUWCATION NETWORK 100 



103 



GUARDIAN CENTER 




301 

PROCESSOR 



-BUS 306- 




300 



GUARDIAN CENTER DATABASES 



137 


138 


FINGERPRINT 


TAGGED 


DATA 


SOFTWARE 


STRUCTURE 


DATABASE 




303 

INTERCONNECTION 
MECHANISM 

[E.G., MODEM 



302 
MEMORY 



315 

VERIFICATION 
PROGRAM (VRP) 



I 



126 

FINGERPRINT 

TABLE 



210 
TAG 
TABLE 



FIG. 9 



wo 00/72119 



PCTAIS00/11»1 



12/18 



* CI 

> 

I- o 

< 

o : 

S o 

CO O 
^ lU 

s d 

lU 

CO lU 
Z M 

-I ...I 



o 

I. 



lU 
CO 

s 

a. 

(0 



1 

CO 

O 
O 

o 

UJ 

1 11 1 



CO 



lU 



lU 

u 
> 

lU 

o 

o 



< 

o 

u. 

o 

UJ 

_l 
CD 
< 



(O 

z 

g 

O 
< 

uT 



(9 00 



UJ 

o 
< 

UJ 
X 

UJ 



I I 

% 

H 

X 
CO 
< 
X 



Q. 
3 



UJ 
ttJ 

o 



u u. 
UJ 

S 



0. 
3 



O 

O 
O 

UJ _ 
CO 



CO O 



g 

u. 



o 

UJ 



tu 
o 

z 
< 
o 

g 

(9 



wo 00/72119 



PCT/USOO/11821 



13/18 



340 

VENDOR DEieCTS INFRINGING 
SOFTWARE (INF.SW) 



341 

VENDOR SUBMrrS COPYOF INFRINGING SOFTWARE {INF_SW) TO 

GUARDIANCENT<ER 
INF SW = STRINGJNF10...N1 



342 

GUARDIAN CENT-ER COMPUT€S ALL 
FINGERPRINTS YION INFRINGlMQ-SOFTWARE 
Yl = FP(STRINGJNFti,i+k-1]}. WHERE 
0<=i<=N-k+1 



343 

GUARDIAN CENTER INCORPORATES Y1,...YN-k+1 
INTO THE FINGERPRINT OATASTRUCTURE 



GUARDIAN CENT€R MADE AWAREOF ^NFRINGING'SOFTWARE 

FIG. 11 
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370 

USER DEVICE'S SUPERVISING PROGRAM CALLS UP THE^UAROIAN CENTER IN 
ACCORDANCE WITH CALLUP.POLICYOR CALLUP_POLICY(SW)-FOR THE 
PARTICULAR SOFTWARE (SW) REI^ERENCED IN TAGS TAGJNST_SW IN 

TAG TABLE 



-YES- 
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CONTINUATION MESSAGE FOR THE PRESENT CALL UP 
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FOR EVERY PAY PER.USE INST_SW IN TAG.TABLE. SEND 
USAGE DATA TO VENDOR AND fOR EVERY EXPIRED INST_SW 
IN TAG TABLE. PREPARE ACTION =i)ISABLE(TAGJNST_SW) 



422 

FOR EVERY fULLY VERIFIED AND 
UNEXPIRED INST.SW. PREPARE ACTION = 
CONTINUE (TAGJNST.SW) 
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PREPARE CONTINUATION MESSAGE 
CM = (TIME. ID TAG.TABLE. ACTIONS, HASH(TAG_TABL€). 
SIGN GCCTIME. HASH(ID_TAG_TABL€). HASH{ACTIONS). 
HASHfTAG.TABLE)). WHERE ACTI0NS=(ACTI0N1 , ACTI0N2, 
) SELECTED f ROM LISTOF ACTIONS AND PUNITIVE 
ACTIONS FOR USER DEVICE'S^UPERVISING PROGRAM 
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OPEN SHARED SOFTWARE OATA'SSO AND 
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— TtO— C 




r y 






703 


ALLOW ACCESS TO 


SHARED SOFTWARE 




DATA"SDD 



CONSULT LAST ACCESS TABLE TO 
DETERMINE F THE INSTJSW HAVING 
TAB T ACCESSED THE SHARED 
vSOFTW ARE DATA SSD AT THE TIME X?> 



704 

PERFORM-OSEROEVICE 
PUNITIVE ACTION 



FIG. 15 



